Username+password -> username+password+security_key

(I know very little about this topic.)

Current setup for registration/login is:

  1. user types in username+password in browser
  2. browser sends username+password to server

I would like to change the setup to:

  1. user types in username+password in browser, presses key on security key
  2. browser sends username+password+security_key_token to server

On the server side, how much extra work is involved for this?

Here, by ‘security key’ I am referring to devices (like Yubico) that plug into the USB-A or USB-C ports.

From googling, there appears to be standards called “Fido2” and “web_authN”, which may be related.