Add tooling to mitigate username enumeration

[Firehed]

See the following for details:

https://www.w3.org/TR/webauthn-2/#sctn-username-enumeration
https://www.w3.org/TR/webauthn-2/#sctn-credential-id-privacy-leak

One possible approach here is to have CredentialContainer automatically insert bogus identifiers into the returned list. If so, the count, length, and order should all be randomized.