Understanding the WebAuthn/2FA/Yubikey integration


For some passwords I use pass which uses GPG, thus making it possibel to store the private key on my hardware token (Yubikey). Password decryptions have to go through the Yubikey, which always requires a physical touch.

Does Vaultwarden’s WebAuthn/2FA support provide the same amount of guarantees, or does it do something different?

It’d appreciate some technical explanations of how this works.

Also, is it possible to use multiple Yubikeys with the same vault? With pass/GPG, I can create the same private key offline and clone it identially onto multiple Yubikeys. Is (something like) this also possible with Vaultwarden?