I want to limit the number of attempts the user makes to verify credentials using webAuthn on my website. How can I achieve this? Is there some exception I can catch to achieve this? Or can I programmatically limit the number of attempts?
Webauthn doesn't support limiting retries, as this is in general handled by the CTAP part of FIDO. It varies a lot depending on authenticator how they handle verification and retries, for example some do an internal retry without responding with data when the authentication fails. This is especially true for keys with only CTAP 2.0 implementation.
CTAP 2.1 keys have more options with retries but this always goes to the platform implementation, which in your case would be the browser and not the Javascript part. The browser engine then decides if it wants to retry or not, however most of the time this is done based on information given by the authenticator to the browser engine and how many times the authenticator wants the browser to retry.
The only limitations to verification is done through userVerification
in the get or create request.
You can view User verification description for more details