https://webauthn.io/ is a demonstration app from Duo Security, which explains the W3C webauthn well.
Is the form on webauthn.io representative of a typical WebAuthn form? I can’t imagine your typical site visitor knowing what attestation is not what to choose for it or the authentication type fields.
I believe that https://webauthn.io/ is to demonstrate capabilities to developers - to encourage up take of Webauthn rather than as a demonstrator for an application user.
Umm, but from security perspective, it’s intended as complementary to passwords (i.e. 2nd factor), not as a replacement, no?
If I understand correctly, it is up to the developer. If the developer wants to ask a password in addition to the WebAuthn thing, it should be doable.