This is for resident keys. A YubiKey 5 supports an infinite number of non-resident WebAuthn keys, because the returned key handle will simply be the private key encrypted with a master key stored on the YubiKey. For authentication the service will send the stored key handle back to the YubiKey which then can decrypt it and use the decrypted private key to sign the challenge.
Envelope encryption. Neat. Can WebAuthn keys be (made) a resident key? If so, is that preferred instead?
Conversely, what use case is there for resident keys in context of WebAuthn? For example, if there are multiple master keys, can I switch between them per browser / website (assuming the master key itself is a resident key and not burnt into the element)? Thanks.
The WebAuthn API can register a resident key on the YubiKey. This will basically store the username, private key and domain on the YubiKey. The website then can later request authentication based off a resident key. This will cause your web browser to query the YubiKey for resident keys of the website. You then can select the resident key with the correct username and will be logged in based on strong cryptography without needing to enter your password or username. Depending on your YubiKey configuration you might need to enter your YubiKey pin for this to work. See the screenshot in this comment on a GitHub issue: https://github.com/keepassxreboot/keepassxc/issues/3560#issu...
The website will need to support this of course. Also the amount of storage available for resident keys on the YubiKey is limited.
This is for resident keys. A YubiKey 5 supports an infinite number of non-resident WebAuthn keys, because the returned key handle will simply be the private key encrypted with a master key stored on the YubiKey. For authentication the service will send the stored key handle back to the YubiKey which then can decrypt it and use the decrypted private key to sign the challenge.