- better cleanup in failure cases

- proper system password database rather than using a loose bunch of files

- for login_totp-and-pwd it would be more convenient to be able to
login with "password/totp" rather than "totp/password" - extra time to
type a possibly-complex password might require a sloppier time window
than desirable

- finish login_hotp
