feat(security): make WebAuthn user verification configurable

User verification was hardcoded to PREFERRED. Add a webauthn_user_verification
setting (default "preferred") wired into WebAuthnService for both registration
and authentication, so identity-provider deployments can require it.

Refs: porchlight-is8

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

tests/test_authn/test_webauthn.py

@@ -17,6 +17,7 @@ from fido2.webauthn import (
     PublicKeyCredentialDescriptor,
     PublicKeyCredentialType,
     RegistrationResponse,
+    UserVerificationRequirement,
 )
 
 from porchlight.authn.webauthn import WebAuthnService
@@ -194,6 +195,19 @@ def test_begin_authentication_prefers_user_verification() -> None:
     assert pub_key["userVerification"] == "preferred"
 
 
+def test_user_verification_is_configurable() -> None:
+    service = WebAuthnService(
+        rp_id=RP_ID,
+        rp_name=RP_NAME,
+        origin=ORIGIN,
+        user_verification=UserVerificationRequirement.REQUIRED,
+    )
+    reg, _ = service.begin_registration(user_id=b"user-123", username="alice")
+    assert reg["publicKey"]["authenticatorSelection"]["userVerification"] == "required"
+    auth, _ = service.begin_authentication()
+    assert auth["publicKey"]["userVerification"] == "required"
+
+
 def test_begin_authentication_returns_options_and_state() -> None:
     service = _make_service()
     _, cred_id, _attested = _generate_credential()