May be similar issue as mine.
Yubico has pretty awful on-device password support, but for MFA it works.
With yubico you're better off thinking of per-site passphrases that you keep in memory in addition to their one-click password entry, so it gets memory heavy.
My main thing is my paaword manager is protected by 2fa...maybe not 100%secure granted, but I am not a state level actor and have no major money/property to steal. That's probably why I have no similar issues.
The issue with onlykey is the static key placement.
Trezor for example randomizes key positions, so even if someone gets the key, they won't be able to guess the PIN based on greasemarks and such.
The trezor looks cool, but it's a bit bulky to put on a key ring. I wouldn't want to carry it around as my second factor.
The benefit of external factors, like a fingerprint reader, like an external pin input is that a compromised computer doesn't get the something you know.
Out of left field, but take a look at Trezor.
They specialize in cryptocurrency hardwallets, but by extension, they also offer password/2fa functionality on their devices.
No biometrics* that I'm aware of, but PIN protection is mandatory.
So as I see it, there is no jack of all trades here, no device supporting modern encryption standards, having biometrics and NFC support and is best case made in Germany, at the moment. π€
I went for a YubiKey last night, I am sure it is good enough. π
And thanks again for your suggestions.