Tighten some MFA/TOTP parameters to improve resistance to brute force attacks

Summary:
Depends on D19897. Ref T13222. See some discussion in D19890.

• Only rate limit users if they're actually answering a challenge, not if they're just clicking "Wait Patiently".
• Reduce the number of allowed attempts per hour from 100 back to 10.
• Reduce the TOTP window from +/- 2 timesteps (allowing ~60 seconds of skew) to +/- 1 timestep (allowing ~30 seconds of skew).
• Change the window where a TOTP response remains valid to a flat 60 seconds instead of a calculation based on windows and timesteps.

Test Plan:

• Hit an MFA prompt.
• Without typing in any codes, mashed "submit" as much as I wanted (>>10 times / hour).
• Answered prompt correctly.
• Mashed "Wait Patiently" as much as I wanted (>>10 times / hour).
• Guessed random numbers, was rate limited after 10 attempts.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13222

Differential Revision: https://secure.phabricator.com/D19898