@jarkko Confusingly, the YubiKey has multiple capabilities that have the same function, and it's difficult to know what you're key is using at any one moment.
I think in this case, it is a difference in U2F and FIDO2. FIDO2 has a higher standard for authenticating and it is used in passwordless authentication.
The user's flow is also completely dependent on how the website implements their authentication service. They could require a password even if they use FIDO2.
@jarkko Is this true even if coming from a completely different system for the first time?
@jarkko There aren't many sites that use FIDO2 keys yet. These are also called resident keys and they are stored in the YubiKey. You can use the yubico manager to remove these keys/accounts since you have a limited number.
The idea behind 2 factor, is that is harder to impersonate someone with each factor. The factors are typically what you know (password), what you are (biometrics), and what you have (hardware key [yubikey]).
FIDO2 has 2fa built in since you have to physically touch the key (1st factor), and you need to enter a pin (2nd factor). The pin takes the place of your regular password.
Apple and Google are rolling out passkeys which uses the FIDO2 interface. They work because you need to have your phone (1st factor), and you need to pass biometrics (2nd factor).
@jarkko You're welcome! I remember struggling a lot to straighten all of this out after getting my first yubikey. It doesn't help that names of protocols change or are ambiguous, and some documentation assumes you have some existing knowledge.