In my opinion you should think of WebAuthn as the first factor. If you want additional second factors (of whatever nature they may be) you can still add these of course.
Thanks, I was thinking of it this way as well... for SSH keys I us a second factor as a hardware device but I can also use a hardware key for WebAuthn so that is where i was thinking maybe it's a 2nd factor... but for the web, I think it makes sense as a alternative to the password.
taf2|3 years ago