[emlun]

Maybe I misspoke - by "optional" I meant "optionally required". The server can require the use of a PIN - and although the PIN verification is done client-side, the authenticator (YubiKey) sets a bit in the signed response to indicate whether PIN was used. The server can then verify the authenticity of the bit if it trusts the authenticator's attestation certificate.

It's also allowed for authenticators to always require PIN even if the server doesn't, but the current YubiKey obeys the server's preference.

But yes, there will of course be bugs. But that is also true for password logins, so I don't see it as a particularly convincing argument.