Address review comments

Author: emlun

README

@@ -370,7 +370,7 @@ throw new RuntimeException("Authentication failed");
 
 Finally, if the previous step was successful, update your database using the
 link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.4.1/com/yubico/webauthn/AssertionResult.html[`AssertionResult`].
-Most importantly you should update the signature counter, and the backup state flag if you use it. That might look something like this:
+Most importantly, you should update the signature counter. That might look something like this:
 
 [source,java]
 ----------

webauthn-server-core/src/main/java/com/yubico/webauthn/AssertionRequest.java

@@ -59,7 +59,7 @@ public class AssertionRequest {
    * <p>If both this and {@link #getUserHandle() userHandle} are empty, this indicates that this is
    * a request for an assertion by a <a
    * href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#client-side-discoverable-public-key-credential-source">client-side-discoverable
-   * credential</a> (passkey), and identification of the user has been deferred until the response
+   * credential</a> (passkey). Identification of the user is therefore deferred until the response
    * is received.
    *
    * @see <a href="https://passkeys.dev/docs/reference/terms/#passkey">Passkey</a> in <a
@@ -77,7 +77,7 @@ public class AssertionRequest {
    * <p>If both this and {@link #getUsername() username} are empty, this indicates that this is a
    * request for an assertion by a <a
    * href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#client-side-discoverable-public-key-credential-source">client-side-discoverable
-   * credential</a> (passkey), and identification of the user has been deferred until the response
+   * credential</a> (passkey). Identification of the user is therefore deferred until the response
    * is received.
    *
    * @see <a href="https://passkeys.dev/docs/reference/terms/#passkey">Passkey</a> in <a
@@ -111,7 +111,7 @@ private AssertionRequest(
    * <p>If both this and {@link #getUserHandle()} are empty, this indicates that this is a request
    * for an assertion by a <a
    * href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#client-side-discoverable-public-key-credential-source">client-side-discoverable
-   * credential</a> (passkey), and identification of the user has been deferred until the response
+   * credential</a> (passkey). Identification of the user is therefore deferred until the response
    * is received.
    *
    * @see <a href="https://passkeys.dev/docs/reference/terms/#passkey">Passkey</a> in <a
@@ -130,7 +130,7 @@ public Optional<String> getUsername() {
    * <p>If both this and {@link #getUsername()} are empty, this indicates that this is a request for
    * an assertion by a <a
    * href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#client-side-discoverable-public-key-credential-source">client-side-discoverable
-   * credential</a> (passkey), and identification of the user has been deferred until the response
+   * credential</a> (passkey). Identification of the user is therefore deferred until the response
    * is received.
    *
    * @see <a href="https://passkeys.dev/docs/reference/terms/#passkey">Passkey</a> in <a
@@ -227,7 +227,7 @@ public AssertionRequestBuilder publicKeyCredentialRequestOptions(
      *
      * <p>If this is empty, this indicates that this is a request for an assertion by a <a
      * href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#client-side-discoverable-public-key-credential-source">client-side-discoverable
-     * credential</a> (passkey), and identification of the user has been deferred until the response
+     * credential</a> (passkey). Identification of the user is therefore deferred until the response
      * is received.
      *
      * @see <a href="https://passkeys.dev/docs/reference/terms/#passkey">Passkey</a> in <a
@@ -245,7 +245,7 @@ public AssertionRequestBuilder username(@NonNull Optional<String> username) {
      *
      * <p>If this is empty, this indicates that this is a request for an assertion by a <a
      * href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#client-side-discoverable-public-key-credential-source">client-side-discoverable
-     * credential</a> (passkey), and identification of the user has been deferred until the response
+     * credential</a> (passkey). Identification of the user is therefore deferred until the response
      * is received.
      *
      * @see <a href="https://passkeys.dev/docs/reference/terms/#passkey">Passkey</a> in <a
@@ -268,7 +268,7 @@ public AssertionRequestBuilder username(String username) {
      * <p>If both this and {@link #username(String)} are empty, this indicates that this is a
      * request for an assertion by a <a
      * href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#client-side-discoverable-public-key-credential-source">client-side-discoverable
-     * credential</a> (passkey), and identification of the user has been deferred until the response
+     * credential</a> (passkey). Identification of the user is therefore deferred until the response
      * is received.
      *
      * @see <a href="https://passkeys.dev/docs/reference/terms/#passkey">Passkey</a> in <a
@@ -287,7 +287,7 @@ public AssertionRequestBuilder userHandle(@NonNull Optional<ByteArray> userHandl
      * <p>If both this and {@link #username(String)} are empty, this indicates that this is a
      * request for an assertion by a <a
      * href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#client-side-discoverable-public-key-credential-source">client-side-discoverable
-     * credential</a> (passkey), and identification of the user has been deferred until the response
+     * credential</a> (passkey). Identification of the user is therefore deferred until the response
      * is received.
      *
      * @see <a href="https://passkeys.dev/docs/reference/terms/#passkey">Passkey</a> in <a