So lets clarify few things:
— Authenticator — A device or software that runs on some platform that used to verify user and produce assertions.
— User Verification — how authenticator checks the user. That’s where the biometrics bit happens
— Authentication — the process of verifying user authenticator assertion
So here are the few rules of FIDO engagement:
— An authenticator can be used with accounts on multiple websites
— An account can have multiple authenticators
So the flow would work like this:
— You create account and register your mobile authenticator and verify your self with the fingerprint
— You login to the website on the laptop and authenticate your self via push request
— You add your USB security key to your account since you are already logged in
FIDO authrs can have different user verification methods. Some may have fingerprint. Some may have Client PIN. The point is that for passwordless you just need to perform multi-factor authentication and FIDO authenticator (something you have) plus biometrics(something you inherit) or pin(something you know) will satisfy that, thus providing passwordless authentication, since no passwords been sent over the internet.