As laid out in this article from August 2020:

https://hwsecurity.dev/2020/08/webauthn-pin-bypass/

Android 7+ (possibly other phone OS too ?) currently don't have a properly configured NFC system for Yubikeys when it comes to Passwordless login.

Their authentication system (as well as the above articles Browser-based exploit code) allows the browser-side authenticator to ignore the requirement of User Verification and send in a challenge that is recognized as valid, thus allowing a user to log in using just Username + NFC yubikey, without checking the UV at all.

You've already got one test in your test suite that has the proper code, so it is supported already:

Just need a mention in this piece of documentation that if using a key as Passwordless the "user_verification: true" needs to be in the .verify() code or it won't properly check it's a valid Passwordless (User Presence + User Verification) login, and an exploit can bypass it.

https://github.com/cedarcode/webauthn-ruby#publickeycredentialwithassertionverifychallenge-public_key-sign_count