U2F was explicitly designed only as a second factor. ("Universal 2nd Factor") but WebAuthn is not.

Even with U2F you could (it wasn't recommended) just not actually have passwords. Use their second factor as your only factor. In this scenario the user needs to provide their username (email address, whatever you're using) because their FIDO token doesn't know who they are either -- it needs to be presented with a cookie [which it gave the site when the user registered to use this FIDO token], and you've probably got a database table mapping users to cookies and public keys.

In FIDO2 the token is capable of handling resident credentials. No cookie, resident credentials are permanently inside the token itself.

The massive downside of this is that obviously the token has finite storage for such credentials, a Yubikey can store 25. Whereas for ordinary FIDO (all the WebAuthn deployments I've seen outside Microsoft) there's no practical limit.

The upside is that since the token has your credentials it can now do the entire sign-in, no need for even a username so the login flow is much nicer.

Of course while convenient on its own that's arguably worse security - if a bad guy steals your token they're in without even knowing your username, much like the proximity card badges often used for site access. So the fix is that a FIDO2 token in this mode can be (usually will be) set to require a PIN or some other factor. This seems like we're back to passwords again, but it's different because the extra factor is local to your device. Bad guys can't steal PINs from devices in bulk or brute force them, they need to steal your FIDO2 token and then brute force that somehow.