Passwordless is not one thing. A yubikey does not do biometric auth.
More than that "who you are" should not be used as a factor of auth but as a user id aka username. It identifies, it does not authenticate unless you can revoke it and guarantee it can't easily be reproduced.
That's not true, many years ago all you needed was long range camera or even photo to reproduce finger print and fool iphones. Especially with ML advances and considering future capabilities, biometrics is just about the worst choice. When you pick a cipher in crypto for example, you want it to resist future attacks and take small cracks seriously because they can be improved upon right? Same thing here except biometrics are a fixed immutable identifier.
More than that "who you are" should not be used as a factor of auth but as a user id aka username. It identifies, it does not authenticate unless you can revoke it and guarantee it can't easily be reproduced.