Yes precisely because I don't rely on Microsoft or Google to handle that.
I have my own physical keys. I started like most with YubiKey, including a YubiKey Bio, then learned about NitroKey https://www.nitrokey.com/ thanks to NLNet https://nlnet.nl/project/Nitrokey-3/ so now I have passkey that I could verify https://certification.oshwa.org/list.html?q=nitrokey as they are certified and audited https://www.nitrokey.com/news/2015/nitrokey-storage-got-great-results-3rd-party-security-audit
That being said... IMHO your doubt raises an interesting question, why? Why do you NOT trust them? Do you imagine they have your data? Do you think an interactive explanation where one exchange data would help to understand why no trust is required or maybe better, where it matters?
Yep. To give you some example I login to my self-hosted forge this way. I also use
PAMon my desktop to login this way. I alsosudothis way. Unfortunately I don't use this on my phone anymore as I switched to GrapheneOS which requires GooglePlay Services for this kind of auth mechanism (with possible work around https://codeberg.org/s1m/hw-fido2-provider that I didn't try yet).Please note I'm no security expert but to clarify few things are important precisely when you are not a professional :
If the answer to either is "maybe" then I recommend before buying you search online and insure it does work with your specific setup. If the answer though is yes to standards and no to additional software then you are, unless there is a weird bug basically, pretty sure to be able to use it however you want, wherever you want.
Sidenote that it's the same heuristic for IoT. If you buy a "brandname smart thing" then you probably need their idiosyncratic stack whereas if you rely on standards, e.g. Zigbee or ZWave, then you are nearly guaranteed a smooth experience.
Hope that helps. I know that navigating acronyms can be tricky but IMHO here it's worth investing a tiny bit of time to recognize them.
Finally as we are talking about open hardware and security I would also add 3rd party audits. I don't have the competency to insure that the hardware and software implementation are cryptographically safe. I can test that it does in some case what it claim to do, e.g. lock after 3 failed attempt, but could some kind of weird collision hash or bad pseudorandomness be used to practically limit the pool of potential keys or passwords? I don't have the knowledge for that. I also can't trust that NitroKey did it right based on the claim of their website. So... audits help bridge that gap in trust. If I can't trust the vendor and I don't have the expertise despite being entirely open then I look for others who did verify on my behalf.