Support WebAuthn as 2FA method

Add support for WebAuthn beside U2F behind a feature flag.

Limitation around the feature flag: WebAuthn is a superset of the U2F specification. U2F registration can be converted to WebAuthn registrations (although it is out of scope for this issue), but not the other way around. Because of that, we control the rollout of the feature with the feature flag, but we shouldn't disable and enable it at any time. Once we switch it on, there's no way back.