This isn't a viable option in practice, because Passkeys use "Resident Keys". This means the credential needs to be stored on the Yubikey - which has a limited number of key slots. Need to log in to more than 25 (I believe) websites? Tough luck!

It didn't have to be this way, but the hype train won over practical considerations: https://fy.blackhats.net.au/blog/2023-02-02-how-hype-will-tu...

Why couldn't a non-resident security key send it's public key as username? And the response contains the actual username and private key.

Privacy. The idea, IIRC, was to have separate identifying material for each site.

Because the security key doesn't store any public keys.

Basically, the security key stores a single symmetric key. It'll generate a public/private keypair on registration, encrypt it, and send it to the server. On authentication the server will return the keypair back to the security key, which decrypts it and uses the retrieved private key for authentication.

I'm curious as to why the number of slots is so small. Surely this is not some kind of fundamental limitation on what's possible (or cheap) with hardware?

Because yubikeys were designed long before passkeys become a thing. And hardware people love cutting cost to the bare bone to save one cent of $50 device.

That's the thing, though - did it save even one cent? How much more would it have cost to have 10x slots? 100x?

You could use YubiKey to unlock Bitwarden that can practically store unlimited keys

Yes, but that provides a significantly less secure experience. All the important cryptographic operations are done in a regular computer program rather than in a HSM, at that point why bother with the Yubikey at all?

What do you use?