UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0

Steps to reproduce the problem:
1. Register two or more resident credential to the same origin
2. Call navigator.credentials.get with a PublicKeyCredentialRequestOptions with an empty allowList
3. Perform user gesture to allow credential to be released

What is the expected behavior?
Browser should prompt the user with the list of user ID bound to the RP and for which to be returned to the RP.

What went wrong?
User is authenticated with one of the identities without user consent.
Upon decoding the HID frames, the browser sends the correct authenticatorGetAssertion. The authenticatorGetAssertion_Response contains the numberOfCredentials field set to the total number of credentials. The browser seems to discard this fields as it does not sends the required authenticatorGetNextAssertion to retrieve the remaining credentials.

Did this work before? N/A 

Chrome version: Version 70.0.3538.77 (Official Build) (64-bit)  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: