I stand corrected on some of my phrasing, thank you for the correction. However...
>Services do not need a copy to validate your password, and should never store one.
"Do not need" and "should" are the key words here. Users don't know how a site stores passwords, we have to trust them to use strong encryption when it comes to hashing, and to not store it in plaintext.
Users don’t know how a site implements FIDO either.
With any authentication system you do have to trust the server you’re accessing to identify you correctly. Take FIDO: sure, in theory someone would have to be close to you to steal the “thing you have”, but if the service you’re authenticating with doesn’t implement the protocol properly or is hacked, then attackers may be able to access your account without being anywhere near you.
All authentication schemes offer benefits only if implemented correctly.
>Services do not need a copy to validate your password, and should never store one.
"Do not need" and "should" are the key words here. Users don't know how a site stores passwords, we have to trust them to use strong encryption when it comes to hashing, and to not store it in plaintext.