Webauthn - prevent email leak

[jay-dee7]

Is your feature request related to a problem? Please describe.
Reference - https://www.w3.org/TR/webauthn-2/#sctn-username-enumeration

The Above link mentions about a possible email leak, if we use email as a field for user identification. Even though, in case of Webauthn, the identifier is username but we also accept an email as the the required parameter and fail when that email already exists.
An attacker can attempt to signup with an email that doesn't exist and successfully signup but if the email already exists, we'll prompt the user with an error saying email already exists. This indicates that the user already exists and the particular email has an account with the relaying party (OpenRegistry in our case).

Describe the solution you'd like
The solution is to interrupt the signup flow, at BeginRegistration step, we send an email with an OTP to the provided email and ask the user to enter the OTP. If the OTP is valid, then we proceed with the signup flow.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.