LG-10442: Fix required MFA redirect for platform authenticator

[aduth]

🎫 Ticket

LG-10442

🛠 Summary of changes

Fixes the behavior of the redirect logic for a partner requesting phishing-resistant MFAs to account for a user which has Face or Touch Unlock configured. Previously, the user would be redirected to authenticate with Security Key which, when combined with the changes introduced in #8795, would prevent the user from being able to successfully authenticate.

📜 Testing Plan

1. Go to http://localhost:3000
2. Create an account
3. At MFA setup, select Face or Touch Unlock
   • You can select multiple MFA, but avoid Security Key and PIV as your second MFA method for the purpose of this bug
4. Complete account creation
5. Click "Forget all browsers" in account sidebar and confirm prompt
6. Sign out
7. With sample RP application running in a separate terminal process, go to http://localhost:9292/?aal=2-phishing_resistant
8. Click "Sign in"
9. Sign in to the account created previously

Before: You are prompted for a Security Key, but you cannot complete this step because you don't have a Face/Touch Unlock credential configured.

After: You are prompted for your Face/Touch Unlock credential.