I want to promote the NK3 among friends and colleagues, therefore I want to be sure that I understand some of the main features correctly. Please excuse my sloppy terminology.
it is possible to configure oneHMAC “key” only - in my case it works for unlocking KeepassXC - but this one HMAC can be used to unlock additional systems. I.e., the second device would not “know” and would not “care” that I am already using the HMAC for my KeepassXC. Correct? (This implies the upsides and downsides of a key that opens more than one door, of course)
if I use the NK3 to create a passkey as a the second factor on a login system which requires user ID and password * then that passkey is a so-called non-resident key which is not actually stored in the NK3 because it is not needed according to the underlying protocol. According to the linked article, the NK3 can handle a practically unlimited number of non-resident keys for a practically unlimited number of system logins Correct?.
Allow me to rephrase my questions in a more straightforward manner:
you can only configure one HMAC “key” but you can use it to authenticate on more than one system
you can use the NK3 as a “passkey container” to authenticate on a practically unlimited number of systems as long as the passkeys are used as the second factor - i.e. instead of TOTP, in addition to user ID and password - for systems which support 2FA..
For Nitrokey 3, there are two slots for a hmac secret, that can be set with nitropy or the app. This however will be used directly by supported applications. I know of keepassxc that supports this to protect and encrypt a password database.
Then theee are old HMAC challenge responses similar to yubikey. They are now used very rarely and change after every use as a counter gets increased. You may ignore them.
For Linux you could also use fido2-cred and fido2-assert to create one on device fido2 credential for the sake of creating arbitrary challenge responses using the hmac-secret extension.
Also there are tools like age-plugin-fido2-hmac that can be used to encrypt data using fido2 and thus a nitrokey 3.
You can authenticate unlimited sites using non-discoverable fido2 as second factor. The website stores the required data next to a user account that is useable only with your fido2 token.
