Entering a PIN is known as "user verification." The point is to prove not just that you posses the key but also that you know a secret about the key. This is better than passwords for a number of reasons. The pin doesn't need to be secure in the way that passwords need to be secure. The pin is only sent between your browser and your FIDO2 device. If you some how learned my pin you couldn't do anything with that unless you also stole my yubikey. And you can't brute force the pin. Guess the wrong pin more than 10 times on my yubikey and the key will erase itself.
Pins make a lot of sense when you start using a yubikey as your primary form of authentication (instead of as a second factor). Note that there are other ways to perform 'user verification' besides a pin. For example, biometrics are specified in the FIDO2 spec, and implemented by yubikey in their Yubikey Bio product.
Pins make a lot of sense when you start using a yubikey as your primary form of authentication (instead of as a second factor). Note that there are other ways to perform 'user verification' besides a pin. For example, biometrics are specified in the FIDO2 spec, and implemented by yubikey in their Yubikey Bio product.