2FA: Send email notifications when you enable/disable 2FA

[alexwlchan]

What's the problem this feature will solve?
A malicious actor enables (or disables) 2FA on somebody’s account without them realising. A message sent to the primary email address will tell somebody if ne’er do well’s are up to something.

Describe the solution you'd like
When the 2FA settings are changed on my account, send me an email.

Additional context
PyPI already sends an email when you change your password, for example:

Someone, perhaps you, has changed the password for your PyPI account alexwlchan.

If you did not make this change, you can email [email protected] to communicate with the PyPI administrators.

[brainwane]

Thanks @alexwlchan!

To do this the right way, we should wait till we have #5863 implemented, so we can draw on the event logging and use it to trigger this notification.

[nlhkabu]

This has also been requested in user testing.

It would be great if we could also specify recovery methods in the email, i.e.

• Link to page to get recovery codes (requires Implement 2FA recovery codes #5800)
• Explain manual account recovery process (requires Define manual account recovery process #5758)