Can FIDO2 protect my local windows account?
How to sign into my Windows Account with a security key
There are different types of security keys that you can use, like a USB key that you plug in to your device or an NFC key that you tap on an NFC reader. The authenton#1 has both: USB-A and NFC interface.
1. Go to the Microsoft account page and sign in as you normally would, or use https://account.live.com/proofs/Manage/additional
2. Select Security > More security options
3. Select Add a new way to sign in or verify
4. Select Use a security key
5. Identify what type of key you have (USB or NFC) and select Next.
6. You will be redirected to the setup experience where you will insert or tap your key.
7. Create a PIN (or enter an existing PIN if you have already created one).
8. Take the follow-up action by touching either the button or gold disk if your key has one (or read the instruction manual to figure out what else it might be).
9. Name your security key so that you can distinguish it from other keys.
10. Sign out and open Microsoft Edge, select Use Windows Hello or security key instead, and sign in by inserting or tapping your key.
Does the FIDO2 security key protect my local Windows Account?
No!
A standard Windows 10 settings allow manage your security key (e.g. add new PIN or change existing known PIN by new value).
Then the FIDO2 authenticator can be used to register and login to WEB-based Microsoft account.
Note:
It's impossible to use security key directly for Windows login for local (0ffline-) Windows account, because the FIDO2 security key is Client -> Server oriented application.