So this should mean you can use the built-in biometric security of an iPhone or high end Android since those can also be used with WebAuthn in the built-in browser or with Firefox, or any security key, not just a Yubikey.
WebAuthn is easier (one tap login), it cannot be phished, it's privacy preserving, and yet somehow here we are in 2020 and most sites are like "Hmm, maybe we should add SMS 2FA?"
login.gov requires you to pick two second factors. So, either you had two Yubikeys (or I mention in a parallel sub-thread, any other type of FIDO Security Key or WebAuthn capable platform) or you had an entirely different second factor and that still works.
So this should mean you can use the built-in biometric security of an iPhone or high end Android since those can also be used with WebAuthn in the built-in browser or with Firefox, or any security key, not just a Yubikey.
WebAuthn is easier (one tap login), it cannot be phished, it's privacy preserving, and yet somehow here we are in 2020 and most sites are like "Hmm, maybe we should add SMS 2FA?"