[v11] Improve FIDO2 UX with user-friendly errors

[codingllama]

Improves FIDO2 login/registration UX by letting users choose (almost) any
available key and then presenting a user-friendly error if the operation cannot
be done.

New devices are now polled for continuously, as we can't eagerly filter devices
anymore. All FIDO2 devices, regardless of their capabilities, are made to wait
for user interaction: once the user interacts with the device we either complete
the operation successfully or return a reason for failure.

U2F-only devices are still silently ignored, as before. They don't respond well
to FIDO2 APIs and proved to be unwieldy in practical tests. (Maybe we can tackle
those in a follow up.)

Examples of new UX:

# Attempting passwordless login on a non-capable device (lack of PIN)
$ tsh login --proxy=zarquon --user=ihaveitall --auth=passwordless
> Tap your security key
> ERROR: device not registered for passwordless

# Attempting passwordless registration on a non-capable device (lack of PIN)
$ tsh mfa add --type=WEBAUTHN --name=test --allow-passwordless
> Tap any *registered* security key
> Tap your *new* security key
> ERROR: device lacks PIN or user verification capabilities

Backport #17441 to branch/v11

[codingllama]

Keeping as a draft for now, will mark as ready after 11.0.

[codingllama]

11.0 is out, so happy to merge this one soon. PTAL.

[codingllama]

I just ran a few manual tests using this branch to be extra sure, not as extensive as before but it looks alright. Toggling auto-merge.