In this scenario we have removed the need for passwords. The WebAuthn flow is exactly the same as for MFA, but for security reasons we could require userVerification (this is optional).

Note: When we say passwordless, what we mean is that no password is sent over the internet or stored in a database. Password, PINs or Biometrics might be used by the authenticator on the client

Explanation: Passwordless login with FIDO2

In this scenario, WebAuthn is used as together with a username to securely authenticate the user. This scenario can still be considered MFA (although no password is used) since the Authenticator can verify the User. The flow is visualized in the figure below.

In this flow the Relying Party should tell the Authenticator to do User Verification (set UserVerification to required) via Biometrics/pin, thus the authentication is MFA (Something the user has - the private key - and something the user knows/is - the PIN or biometrics). However in scenarios where security requirements are very low we we could discourage user verification to minimize the user interaction needed to sign in. If discouraged, only user presence will be checked (Any human is present at the device).

Read the source code for this demo here: passwordless.register.js and passwordless.login.js