fixup fig 2, further polish

index.bs

@@ -1510,10 +1510,10 @@ When this method is invoked, the [=authenticator=] must perform the following pr
 - Prompt the user to select a [=public key credential|credential=] from among the above list. Obtain [=user consent=] for using
     this [=public key credential|credential=]. The prompt for obtaining this [=user consent|consent=] may be shown by the
     [=authenticator=] if it has its own output capability, or by the user agent otherwise.
-- Process all the supported extensions requested by the client, and generate the [=authenticator data=] without
-    [=attestation data=] as specified in [[#sec-authenticator-data]]. Concatenate this [=authenticator data=] with the [=hash of
+- Process all the supported extensions requested by the client, and generate the [=authenticator data=] as specified in 
+    [[#sec-authenticator-data]], though without [=attestation data=]. Concatenate this [=authenticator data=] with the [=hash of
     the serialized client data=] to generate an [=assertion signature=] using the [=credential private key|private key=] of the
-    selected [=public key credential|credential=] [as shown in Figure 2, below](#fig-signature). A simple, undelimited
+    selected [=public key credential|credential=] as shown in [Figure 2](#fig-signature), below. A simple, undelimited
     concatenation is safe to use here because the [=authenticator data=] describes its own length. The [=hash of the serialized
     client data=] (which potentially has a variable length) is always the last element.
 - If any error occurred while generating the [=assertion signature=], return an error code equivalent to "{{UnknownError}}" and