Investigate how we can use FIDO2 tokens in EJBCA, to replace PKCS11 based tokens. WebAuthn support (implementing FIDO2?) it now built in to both Firefox and Chrome (starting with Chrome 67).
Yubikey supports FIDO2 and released a new FIPS 140-2 certified token today.
Google has its own Titan key:
Solo Open Source FIDO key:
Example of enrollment flow: https://demo.yubico.com/webauthn/