totp

First, thank you for maintaining this wonderful tool!

Is your feature request related to a problem? Please describe.
PBKDF2-HMAC-SHA1 is no longer recommended, and may become a problem if there are too few iterations (SHA1 is the issue, especially in conjunction with the small number of iterations), although a 16byte/128bit salt remains fine. This only offers security if used in conjunctio

This will allow users to set up API mgmt for provisioners, and unblock users in environments where the ca.json is not easily accessible.

The --enable-admin flag would create the first provisioner and admin (this code already exists, just behind a boolean).
The --acme flag would create an ACME provisioner.

Related: smallstep/certificates#737

Tasks:

• add docs to token strategy (godoc)
• add links to the readme (api-key, bearer, x-header)

Currently all sessions are stored in a memory-engine, which means:

1. If the server restarts, all sessions expire.
2. If multiple servers are started, they can't share sessions

As big step forward, we would want to store sessions in MySQL.

This means a new 'storage engine' will have to be written for this session data. This should be done in this github project:

https://github.com/cur