FIDO2 Key

good info:

https://www.complete.org/easily-using-ssh-with-fido2-u2f-hardware-security-keys/

Important distinction: Resident vs Non-Resident keys
Resident keys means the private key is stored on the FIDO2 key - if someone steals your fido2 key, they can use it to log into your systems. 
Non-Resident means the key is "split up" into a file on your PC you need to have, and a partial "private key" inside the FIDO2 key - you need BOTH to access any systems. (You can also have unlimited amounts of non-resident keys).

In most cases you'll want non-resident keys ( you can, for example, store the file required to use them in your password manager or similar.) So only non-resident keys are covered here.

Still, we'll want multiple variants: Having to touch the key on every SSH connection might be annoying in, for example, a homelab or testing environment. So for this overview, we'll generate a set of keys:
SSH Ed25519 non-resident keys - this is what should be the most used, since ed25519 is supposed to be the ideal key type in 2025. generate one non-resident key (handle file) with touch required, and one without.

Good to know:
disable SSH agent - if an SSH agent is running, ssh will not ask you to "confirm user presence", but just appear to hang until you touch the key.