I would consider PIV and SSH through PIV/OpenPGP legacy and undesired nowadays. If you're only interested in state of the art second factor instead of passwords for sensitive use cases, a simple FIDO2 security key w/o all the extra features on a yubikey 5 is enough.
You can solve most of those with only FIDO2 nowadays:
Webauthn with fido/u2f is supported on most websites and oidc providers.
SSH with FIDO and resident / non-resident keys is supported.
PAM -> as documented in the guide, although setting origin and type manually isn't necessary and you can save keys in ~/.config/Yubico so non-root users can manage their keys. I would recommend enabling PIN verification with pamu2fcfg --pin-verification.
LUKS hard disk encryption with FIDO2 for unlocking isn't covered but is possible, systemd-cryptenroll can set this up on modern linux distributions.
| Webauthn with fido/u2f is supported on most websites and oidc providers.
I wish that was true. I’ve found that webauthn is becoming more common in the last year, but is still relatively rare. Many “important” sites and services make use of them. https://www.yubico.com/works-with-yubikey/catalog/ is a great place to see them, but they’re still quite rare as a whole.
You can solve most of those with only FIDO2 nowadays:
Webauthn with fido/u2f is supported on most websites and oidc providers.
SSH with FIDO and resident / non-resident keys is supported.
PAM -> as documented in the guide, although setting origin and type manually isn't necessary and you can save keys in ~/.config/Yubico so non-root users can manage their keys. I would recommend enabling PIN verification with pamu2fcfg --pin-verification.
LUKS hard disk encryption with FIDO2 for unlocking isn't covered but is possible, systemd-cryptenroll can set this up on modern linux distributions.