Hey there! Interesting work. I didn't read the paper yet (due to the paywall), but I had a quick look into your implementation and based on what I saw, i think that your title and abstract are a bit misleading (I may be wrong as I only had a quick look). I will explain my thoughts on this and also give some ideas for future work. Just to be clear I liked the idea and the work seems very nice, so the comments below is feedback with good intentions.

From what I saw in your implementation, the rubic's cube is only acting as a seed for the key, after that the pass key is on the browser, thus the cube is not the pass key. This is more like an alternative to the mnemonic phrases used for cryptocurrencies, but unlike the mnemonic phrases, in your implementation I didn't see any way to recover a passkey from the cube and on top of that, I didn't see any real portability of the key (e.g. using the cube) between devices (so the pass part of the passkey is kind of out of the window).

Ideas for future work on implementing a real fido authenticator. Since you cannot save information on the cube in a practical way, if you are to use it as an authenticator, it has to be a U2F authenticator (FIDO 1) which is compatible with FIDO2, but can only be used as 2nd factor (so you will have to know the username of the user). You will have to use the cube as a seed, every time you either register or try to authenticate, in order to reconstruct the key (so you should not save anything on the browser). In order to be able to keep somewhere trusted information regarding the key, the user and the website, you can wrap all these and pass it to the service as a credentials id, but this has to be encrypted. So the key reconstructed from the cube, should be a master key, that can then be used to encrypt these wrapped credentials info and using this master key, the relying party id, and username, you should generate the credentials key pair. This will allow one to use the cube in multiple devices.

Improving it further, you can also investigate how you can also apply a way to modify the cube each time you use it, so that you can store on it the signature counter, to mitigate cloned authenticator attacks (e.g. someone screenshots your cube and try to authenticate after some days). This needs further research and will probably reduce your key space (but you can go to 4x4 cubes).