Nitrokey 3 PSD2 compliance

Hello. I was wondering something…

Ever since there is this new litigation in EU called PSD2, the financial institutions have started demanding 2FA for their customers. Normally they’re being very lax and automatically demand a mobile number without a second thought (which has caused me a whole another set of problems, but that’s unrelated for now). Anyway, I have read the relevant parts of the law a bit and apparently the law dictates that financial institutions should require 2 factor authentication where the two factors must be chosen from the following options:

- Something you have (devices)
- Something you know (i.e. passwords, pins)
- Something you are (biometrics)

The biometrics isn’t really relevant, but I was wondering, if Nitrokey 3 could technically fit into the other two categories. It’s already a smart device (something I have; well not yet technically since I haven’t received the preorder yet, but you know…). It’s really the “what you know” part I’m interested about. I’ve not yet used any 2FA methods like WebAuthn, so I don’t know exactly how this works, but I read that the standard does offer a secure passwordless website login. So this got me wondering… if it’s passwordless, then it technically doesn’t conform to the “something you know” part of the directive.

Is it possible to use Nitrokey 3 as a 2FA to login, but also make Nitrokey require a PIN number before the authentication can proceed (so both conditions are met)?

Thanks in advance.

In case FIDO2 is used as 2FA (which Nitrokey 3 supports, but as well Nitrokey FIDO2), the login operation can be protected by a PIN. This must be requested by the server however, as by FIDO2 specification it is possible to sign request without it as well.
And the password-less login (via Resident Keys feature of the FIDO2) requires PIN.