Last weekend I could play a bit more with the ESP32 board to implement BLE transport for FIDO2 WebAuthN protocol. The great BLE library https://github.com/nkolban/ESP32_BLE_Arduino helped me a lot. Now my developer board advertises itself as Authenticator and provides four required endpoint to communicate. Google Chrome is able to detect the device and tries to connect to it. However, the endpoints just do nothing at the moment and authentication fails with error.
As well I have discovered a great chip for Secure Authentication - ATECC508A. From the datasheet details looks like it could provide all the necessary security procedures and store 16 user keys.
I'm thinking if 16 keys is enough or not. From my perspective it's quite a decent amount - user can use secure authenticator device to login to major and most important accounts like Google or Github and use them as OAuth provider later. If not - ESP32 board has 4Mb flash memory onboard which can be used to store more keys but not as secure.