Now that The Bastion supports *-sk keys, it would be nice to have PIV-like policies available to limit keys to an account to PIV/SK/FIDO2, grace periods, etc. It could potentially utilize PubkeyAuthOptions in some capacity.

Please close this if it seems like a stinker of an idea :).