Previously both methods were declared to throw only `ConfigurationError`
and callers did not catch it. This removes the now-overly-narrow
`@throws ConfigurationError` declarations and wraps both call sites in
`try/catch(Throwable)`, letting the enrollment form log the full
confidential trace and show the exception message inline rather than
leaving the user with an unhandled error page.
The enroll false path is also updated: `Notification::error()` is
replaced with `$this->onError()` to keep error feedback consistent with
the exception path.
Defines the contract every 2FA implementation must satisfy:
`getName()` / `getDisplayName()` for identification, `isEnrolled()` to check
whether a user has a stored credential, `verify()` to validate a submitted
token, `enroll()` / `unenroll()` to persist or remove the credential, and
`assembleEnrollmentFormElements()` to contribute method-specific form fields
to the enrollment UI.
