This isn't a viable option in practice, because Passkeys use "Resident Keys". This means the credential needs to be stored on the Yubikey - which has a limited number of key slots. Need to log in to more than 25 (I believe) websites? Tough luck!
Because the security key doesn't store any public keys.
Basically, the security key stores a single symmetric key. It'll generate a public/private keypair on registration, encrypt it, and send it to the server. On authentication the server will return the keypair back to the security key, which decrypts it and uses the retrieved private key for authentication.
I'm curious as to why the number of slots is so small. Surely this is not some kind of fundamental limitation on what's possible (or cheap) with hardware?
Because yubikeys were designed long before passkeys become a thing. And hardware people love cutting cost to the bare bone to save one cent of $50 device.
Yes, but that provides a significantly less secure experience. All the important cryptographic operations are done in a regular computer program rather than in a HSM, at that point why bother with the Yubikey at all?
Use a better token. YubiKey is the most popular one, not the best one by a long shot. My (cheaper) alternative supports 300 resident keys per each hardware key.
