You can use your CanoKey as a 2FA device on many websites.
The PIN is not set by default. You may set a new PIN using Windows Hello or other possible applications.
You may use the following command to generate a private key for ssh. See here for more info.
ssh-keygen -t ecdsa-sk # or you prefer ed25519 ssh-keygen -t ed25519-sk
pam_u2f provided by Yubico. One common scenario is