Indeed, especially when most computers and phones are literally covered in the target fingerprints.

The issue is not physical breaches by "dusting" fingerprint.

This comment was made before they changed the title. Previously it claimed you could log in without passwords, which is just plain wrong.

It depends on what the server chooses to support, but the spec is designed so that it will be possible to support login without a password. Instead the authenticator (e.g., phone or USB dongle) would locally ask for a PIN and/or fingerprint before unlocking the private key.