This is scenario where we just want to use FIDO as the MFA. The user register and logins with their username and password. For demo purposes, we trigger the MFA registering on sign up.

Explanation: 2FA/MFA with FIDO2

In this scenario, WebAuthn is only used as second factor mechanism. MFA stands for Multi Factor Authentication which generally means it relies on something the user knows (username & password) and something the user has (Authenticator Private key). The flow is visualized in the figure below.

In this flow the Relying Party does not necessarily need to tell the Authenticator device to verify the human identity (we could set UserVerification to discourage) to minimize user interactions needed to sign in. More on UserVerification in the other scenarios.

Read the source code for this demo here: mfa.register.js and mfa.login.js