I read every Yubico publication and looked at the webinars, but they keep some information unsaid for some reason.
When using the Yubikey 5 for Single Strong Factor, they claim the authenticator (I guess they mean the physical key's CPU) generates a key-pair for every site you enroll to with the "resident keys" method. They admit there's a limit to the number of enrolls, since they each take up a slot on the key, so it's not unlimited like U2F. I therefore wonder:
Thanks for any info you know, whether FIDO2 in general or Yubico hardware specifically.
(Tried to tag this FIDO2 but I can't create a new tag)
I can try to answer some of your concerns:
"requireResidentKey": false
), then new key pair is generated and stored on device; when relying party asks to use your key as second factor only, then key-wrapping is used and no internal memory is used. YubiKey 5 can store only 25 key pairs (https://support.yubico.com/support/solutions/articles/15000014219-yubikey-5-series-technical-manual#FIDO2r09kph).