WebAuthn (and its predecessor U2F, you should not roll out new U2F deployments but old ones are slow to upgrade) sits on top of FIDO, which has a protocol CTAP (Client To Authenticator Protocol) for this purpose.
At the extreme case, when you're asked to sign in with a Security Key you could have an authenticator with dedicated flash storage, screen and fingerprint reader so it can display like:
"Site news.ycombinator.com is prompting you to authenticate as blueblisters [484D2A8BBF] blueblisters@example.com - You last used this credential 16 hours 41 minutes ago. Touch the fingerprint reader to continue"
But in the real world the cheapest options have zero flash, zero display, just a push button and an LED. The LED flashes to indicate that you're being asked to press the button, your pressing it means you signify that you're present. All the data is still sent to them, but they can't display it, you have to trust your browser to validate what was sent.
This means it's unsafe to "press the button" when plugged into a general purpose computer unless prompted by an application you trust with your credentials, like a web browser you're using to sign in to sites
If the authenticator has no storage it can only really act as a Second Factor this way. But a device with storage can replace all steps of logging in if you want. No need to enter a password, an email address, anything, just one tap to get in. Apple is promoting this for the new iOS. A current Yubikey does have storage, and so it can do this, but the storage is very limited, unlike an iPhone with gigabytes of Flash memory.
https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-cl...
At the extreme case, when you're asked to sign in with a Security Key you could have an authenticator with dedicated flash storage, screen and fingerprint reader so it can display like:
"Site news.ycombinator.com is prompting you to authenticate as blueblisters [484D2A8BBF] blueblisters@example.com - You last used this credential 16 hours 41 minutes ago. Touch the fingerprint reader to continue"
But in the real world the cheapest options have zero flash, zero display, just a push button and an LED. The LED flashes to indicate that you're being asked to press the button, your pressing it means you signify that you're present. All the data is still sent to them, but they can't display it, you have to trust your browser to validate what was sent.
This means it's unsafe to "press the button" when plugged into a general purpose computer unless prompted by an application you trust with your credentials, like a web browser you're using to sign in to sites
If the authenticator has no storage it can only really act as a Second Factor this way. But a device with storage can replace all steps of logging in if you want. No need to enter a password, an email address, anything, just one tap to get in. Apple is promoting this for the new iOS. A current Yubikey does have storage, and so it can do this, but the storage is very limited, unlike an iPhone with gigabytes of Flash memory.