I'm using a Trustkey G310. On Webauthn enabled sites (e.g. Bitwarden), the key requires a valid fingerprint to authenticate, effectively making the key two factors at once. While -O verify-required does validate against the key's PIN, it doesn't request fingerprint verification. I'd like to see the fingerprint user validation to be supported.
I'd like to see this too - I'm trying to obtain hardware to help implement it.
I have tested against a pre-release Yubikey bio and the biometric authentication does work - it will set the "user verified" flag in the signature without needing a PIN. Assuming your device works similarly, then simply adding "verify-required" to your key lines in ~/.ssh/authorized_keys should be sufficient.
Just to clarify: you don't need to set verify-required when *generating* the key
Tested "verify-required" as option in authorized_keys, but get "Permission denied" then. The key is blinking light-blue, indicating FIDO2 mode without fingerprint verification, while it should blink dark-blue, using FPV. Taken from earlier conversation with trustkey, it appears that ssh doesn't request the key to fp-verify. I'd expect the ssh client to request FPV when the server has the option verify-required present.
AFAIK there is no FIDO flag that we can set to request biometric verification. There is a concept of "user verification", but that is commingled with PIN verification. If you can figure out what flags your webauthn endpoint is setting then it might be possible to replicate them. It is possible that it is using a vendor extension for your key in particular...