Do "Passkey or security key" MFA devices for the root user satisfy the Security Hub IAM.6 requirement?

For compliance and security, we need to use Hardware MFA devices as specified by IAM.6, "Hardware MFA should be enabled for the root user". The description reads:

This AWS control checks whether your AWS account is enabled to use a hardware multi-factor authentication (MFA) device to sign in with root user credentials.

The "Assign MFA" page lists three options:

• Passkey or security key
• Authenticator app
• Hardware TOTP token

As we're currently in procurement for a solution, we need confirmation that "Passkey or security key" satisfies the IAM.6 requirement, or if instead only the Hardware TOTP device is accepted. Would a FIPS-compliant Yubikey such as this one suffice for the security requirement?

If it is the case that only the TOTP token satisfies the IAM.6 requirement, how is a non-US entity supposed to procure one, given that only two devices from Thales are listed and neither are available in our current operating country (EU)? If this is not the case, you can ignore this secondary question.