Thanks for this input. Summarized as I understand it - at least for gocryptfs and LUKS/cryptsetup on Debian:
- You can’t be sure that a Nitrokey Passkey really provides strong 2FA in those two programs.
No matter if its due
- to PIN-cashing (how and where could I safely disable it if not during creation?)
or due - to FIDO2-regulations (found that in an old thread: Nitrokey FIDO2 PIN creating - #13 by szszszsz). But allowing no PIN enforcement in this situation reduces 2FA to 1FA.
Seems like we have to wait for those softwares to tighten security on their side as passkeys dont upgrade firmware?!