Please bear with me, I’m still trying to learn how I can use the NK3.
So one thing I did was registering on webauthn.io which worked using FIDO2. I now have a resident credential on the key (which I cannot delete, but that will be another thread) and was able to authenticate on the website. But when entering the PIN wrong three times, all I had to do was power cycle the key.
The other use case, which is far more likely to be at risk for brute force is the encryption of my harddrive (relying on LUKS2). Using
systemd-cryptenroll to enroll two keys, one protected with PIN and one without, directly works. Nice. This time, there is no resident key on the NK3, though. Still, entering the PIN three times wrong just needs a power cycle.
I was expecting that the key would block access to its secrets/delete them from its internal storage after the PIN gets entered wrong too many times. Is there some setting where I can configure this?