In single factor mode (passwordless), your token is your password. So if you lose it, someone could access your accounts if they know your username.
The USB tokens don’t store a password, they store a master key pair, and then derives a site-specific key pair based on the URL you are connecting to. The site issues a challenge and the token signs it. This prevents replay attacks, and there is no way to export the secrets from the token. There is also no way to authenticate to a site by just having the key plugged in - you have to press the button on it. There is no way through software, even low level usb-hid commands, to trigger the button press.
Overall it’s really well designed and more secure than passwords, even in single factor mode.
The major downsides are that it requires browser support, and doesn’t work with iOS.
The USB tokens don’t store a password, they store a master key pair, and then derives a site-specific key pair based on the URL you are connecting to. The site issues a challenge and the token signs it. This prevents replay attacks, and there is no way to export the secrets from the token. There is also no way to authenticate to a site by just having the key plugged in - you have to press the button on it. There is no way through software, even low level usb-hid commands, to trigger the button press.
Overall it’s really well designed and more secure than passwords, even in single factor mode.
The major downsides are that it requires browser support, and doesn’t work with iOS.