Add error message if authenticator does not support PRF

[emlun]

Adds an error message in case the browser is PRF compatible but the authenticator (security key) is not, as described in #81 (comment) .

The "learn more" link leads to the PRF compatibility documentation.

Testing

To test this, you'll either need an authenticator that supports passkeys but not the hmac-secret extension (so an iPhone would probably work?), or to run this snippet in the developer console before clicking the "Sign up with passkey" button:

origCreate = navigator.credentials.create;
navigator.credentials.create = async function(options) {
  options.publicKey.authenticatorSelection.residentKey = "discouraged";
  options.publicKey.authenticatorSelection.userVerification = "discouraged";
  const pkc = await origCreate.call(this, options);
  return {
    authenticatorAttachment: pkc.authenticatorAttachment,
    id: pkc.id,
    rawId: pkc.rawId,
    response: pkc.response,
    type: pkc.type,
    getClientExtensionResults: () => ({ prf: { enabled: false } }),
  };
}

This snippet simulates the incompatibility by overriding the PRF extension output with what it would look like if the browser supports PRF but the authenticator does not.

Alternatively, if you have a pre-FIDO2 (U2F) security key (for example a YubiKey NEO), you can use this snippet instead:

origCreate = navigator.credentials.create;
navigator.credentials.create = function(options) {
  options.publicKey.authenticatorSelection.residentKey = "discouraged";
  options.publicKey.authenticatorSelection.userVerification = "discouraged";
  return origCreate.call(this, options);
}

This instead disables the requirement that the security key must support passkeys (PIN and discoverable keys), which results in a PublicKeyCredential result that genuinely reflects what happens if the browser supports PRF but the security key does not support the hmac-secret CTAP extension.