[PM-31212] Change hardcoded 5 key WebAuthn limit for login to check if premium

[jolness1]

🎟️ Tracking

#6893

https://bitwarden.atlassian.net/browse/PM-31212

📔 Objective

Post-change to the new 10 WebAuthn key limit for premium users, it was possible to register more than 5 keys but any keys registered past that point did not work for login because the old hardcoded limit of 5 was left in place rather than dynamically checking if user had a premium subscription.

Note: This does not force the login to not load all 10 keys on free accounts since it is already enforced during registration.

Reason: If a user loses their first 5 WebAuthn keys and also has had their premium subscription lapse, I would think we wouldn't want to lock them out of their account entirely. I do not have strong feelings on this but enforcing on registration seems like enough. Definitely an edge case, though I wanted to explain my logic as it was a deliberate choice.

I can see why it might be better to prevent login via keys beyond the free limit — users should have their recovery code, not doing so would mean that some small subset of users who pay for a year and let it lapse can continue to use more then 5 security keys etc.

Happy to make a change for a stricter check to defend against what seems like a super remote edge case if reviewers feel that's needed!

📸 Screenshots

Possible to add more than 5 keys on premium account(behavior consistent before and after fix):

premium-account-add-key.mov

6th+ key does not work as 2nd factor (pre-fix, undesirable behavior):

bug-behavior-of-keys-over-5.mov

Key under the old 5 key limit still works (behavior consistent before and after fix):

key-under-5-behavior.mov

Behavior after fix is what would be expected:

fixed-behavior-of-keys-over-5.mov

Free account still limited to 5 key maximum (sanity check — no changes to registration flow):

free-acct-test.mov

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[bitwarden-bot]

Thank you for your contribution! We've added this to our internal tracking system for review.
ID: PM-31217
Link: https://bitwarden.atlassian.net/browse/PM-31217

Details on our contribution process can be found here: https://contributing.bitwarden.com/contributing/pull-requests/community-pr-process.