Execute the WebAuthn authentication ceremony client-side using navigator.credentials.get and verify the assertion server-side

Steps

1. Fetch a fresh server-generated challenge from your backend; associate it with the user's session and set a short expiry (e.g. 60 seconds).
2. Construct PublicKeyCredentialRequestOptions with the challenge, rpId, userVerification preference, and allowCredentials listing the credential IDs registered for the user.
3. Call navigator.credentials.get({ publicKey: options }) and await the PublicKeyCredential assertion.
4. Send response.id, response.response.clientDataJSON, response.response.authenticatorData, and response.response.signature to the server.
5. Server verifies: parse and decode clientDataJSON (type must be 'webauthn.get', challenge matches and is consumed, origin matches), compute rpIdHash and compare with authenticatorData bytes, verify the UP bit is set, check UV bit against policy, then verify the signature over authenticatorData + hash(clientDataJSON) using the stored public key.
6. Check the authenticatorData signCount: if it is greater than the stored count update it; if it is less than or equal (and neither is zero) flag possible authenticator cloning and consider requiring re-enrollment.