>"Passwordless" just means that prompt goes to an app where a user unlocks their device to approve the login.
Setup a yubikey with an attested cert/pub key. Require a pin to use said yubikey.Requiring attestation will prove that private key was generated on the device, and will only live on that yubikey. That's your best bet.
It also satisfies the multi-factor needs. The something you have is the yuibkey. The something you know is the PIN.
Setup a yubikey with an attested cert/pub key. Require a pin to use said yubikey.Requiring attestation will prove that private key was generated on the device, and will only live on that yubikey. That's your best bet.
It also satisfies the multi-factor needs. The something you have is the yuibkey. The something you know is the PIN.