audit the Web Authentication API

As of Firefox 60, Mozilla has enabled support for the Web Authentication API by default. We should audit it or at least understand it better, or we should disable it by setting security.webauth.webauthn to false. See: https://bugzilla.mozilla.org/show_bug.cgi?id=1432542

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information