Explanation: Passwordless login with FIDO2
In this scenario, WebAuthn is used as together with a username to securely authenticate the user. This scenario can still be considered MFA (although no password is used) since the Authenticator can verify the User.
The flow is visualized in the figure below.
In this flow the Relying Party should tell the Authenticator to do User Verification (set UserVerification to required) via Biometrics/pin, thus the authentication is MFA (Something the user has - the private key - and something the user knows/is - the PIN or biometrics). However in scenarios where security requirements are very low we we could discourage user verification to minimize the user interaction needed to sign in. If discouraged, only user presence will be checked (Any human is present at the device).
Read the source code for this demo here: passwordless.register.js and passwordless.login.js