Tolerate unknown AuthenticatorVersion values while deserializing

[emlun]

I recently got a prototype FIDO_2_2 authenticator and noticed that WebAuthn operations with it fails when userVerification: "required", or when residentKey: "required". I traced the root cause to the deserialization of AuthenticatorVersion, which is intolerant of unknown values such as "FIDO_2_2". This causes Firefox to downgrade to the CTAP1 protocol for any authenticator whose getInfo contains "FIDO_2_2" (or any other unknown value, such as future versions), preventing use of any CTAP2-exclusive features with those authenticators.

Reproducing the issue

1. Launch Firefox 139.0 and open https://demo.yubico.com/webauthn-developers
2. In “Authenticator selection”, uncheck “excludeCredentials” and set “userVerification” to “discouraged”. Click “CREATE” at the bottom and create a credential using a FIDO_2_2 authenticator. Observe that the credential registration succeeds.
3. In “Authenticator selection”, change “userVerification to “required”. Again click “CREATE” at the bottom and create a credential using a FIDO_2_2 authenticator. Observe that the credential registration now fails.

Fixing the issue

This adds an AuthenticatorVersion::Unknown variant with #[serde(other)], causing unknown values to deserialize to that variant instead of being rejected. This is enough to prevent Firefox from downgrading FIDO_2_2 devices to CTAP1, so they can successfully use UV and other CTAP2-exclusive features.

This PR does not add a FIDO_2_2 variant since that would not actually add support for any features introduced in FIDO_2_2.

[emlun]

Related:

• New struct members added in CTAP 2.2 #334
• Unexpected keys in CTAP2 responses should be ignored #343

[jschanck]

Thanks!