Avoid user verification

The server uses preferred for the userVerification option when creating credentials. With this value, the native Windows implementation (used by Edge, and starting with Windows 1903, Chrome and Firefox as well) will require user verification if supported. If a security key supports a pin and does not have one set, the user will be required to create one. Having to set a pin to try out a simple demo is bit annoying and wouldn’t be that bad on it’s own, but unfortunately it ends up creating bunch of future annoyances:

• Once a pin is set it, Windows seems to require it for all credential creation via the Webauthn API (but not U2F for some reason), even if userVerification is discouraged and the security key itself doesn’t require the pin.
• After setting a pin, all sites that don’t explicitly set userVerification to discouraged suddenly require pin entry.
• On YubiKeys, the pin can’t be removed without a reset, so you’re stuck with it after trying the demo.

I recommend changing this option to discouraged to streamline the demo and avoid triggering the above issues. The same should be done for credential validation where userVerification is currently unspecified and defaults to preferred. In that case it would just be to streamline the demo; I’m not aware of any problems caused by the default value.