And one more thing: The credentials that your token provides to the website during the registration process are signed by an "attestation key" created by the manufacturer, to prove its origin.

This allows the website to check what kind of token you have, and if it's a hardware token at all.

That's useful so that sites with high security requirements can for example require that you're really using a hardware token, instead of storing the passkey in your cloud-synced password manager.