Require 2FA when changing password in password recovery flow

Right now, in apps that use this gem along with `Devise`'s `recoverable` module, users won't be challenged with their two factor to change their password when going through the password recovery flow. In fact, if `recoverable` module is configured to sign in after changing the password, users are able to essentially sign in bypassing 2FA.

