Ameliorate the need for re-authentication upon re-creating BBKs

[pejic]

In #271, browser bound keys (public key and signature) are added to the SPC response. By design a new browser bound key is created when not present when a user pays on a new device for the first time. In this scenario, the user would go through the following steps:

1. Press pay on a checkout page after identifying their payment method to the merchant
2. Press verify on the SPC prompt.
3. Identify themselves (i.e. via fingerprint or pin) on the WebAuthn prompt.
   1. The new BBK is returned to the checkout page
4. Go through another verification (say SMS OTP).
   1. This step-up may be required since this BBK was seen the first time, implying a new device is being used.
   2. This could be multiple steps for the user.

See March 27, 2025 meeting where this topic was an agenda item.

There are privacy considerations for WebAuthn. See 14.5.2 Authentication Ceremony Privacy. See also #275 where SPC output states are considered.