Use preferred user verification policy for webauthn

I noticed my security keys weren't prompting me for a pin and saw `discouraged` uv policy was being used. Is there a historical reason this was discouraged / disabled? I'm happy to close if so and just patch this on my personal deployment instead. Thanks!