Should let you choose from your phone if you have multiple userid's for this site.
At this point we don't know credentialId until device returns it from validate call..
* However, we know the publickey of the device from enrollment in the past.
* From credentialID we can know the userid, and the user can login if signature succeed.
* We can trust flags like user present because they have been signed.
* We lookup the publickey from credentialId, which we use to verify the challange. So if credentialId was changed to existing user, the publickey would be different and the signature would fail.
* User verified seems to indicate that user was near the computer when logging in. Prevents someone sending a login request to a user far way.
* Bluetooth seems to be needed for transferring data from device to the computer with information about the user. Prevents the need for transferring through google, microsoft etc.
Fake id (Saved on your phone - returned as userHandle)
Fake name (Should be visible in your wallet on your phone)
ServerData (secrets and user hidden):