At the cheapest end, something like a Yubico Security Key 2 does two factors with one being the physical key you have and the other being a PIN (such as "180479" or indeed "FkR0Mpg"). An adversary who steals the physical device needs to guess the PIN correctly before it locks out after a few wrong guesses.
Something like a decent Android phone uses a fingerprint as its second factor, Yubico make a physical device that does this if you've got cash burning a hole in your pocket.
In WebAuthn terms the remote site ("relying party") just asks for User Verification and checks that the UV bit is set on the signed message from the authenticator (all WebAuthn signatures will have UP (User Present) set, but UV is a separate bit)
At the cheapest end, something like a Yubico Security Key 2 does two factors with one being the physical key you have and the other being a PIN (such as "180479" or indeed "FkR0Mpg"). An adversary who steals the physical device needs to guess the PIN correctly before it locks out after a few wrong guesses.
Something like a decent Android phone uses a fingerprint as its second factor, Yubico make a physical device that does this if you've got cash burning a hole in your pocket.
In WebAuthn terms the remote site ("relying party") just asks for User Verification and checks that the UV bit is set on the signed message from the authenticator (all WebAuthn signatures will have UP (User Present) set, but UV is a separate bit)