[skybrian]

Sure, that's one threat scenario, but aren't there others?

It seems like a hardware key helps when using a machine temporarily, and it gets compromised after you use it.

[drivebycomment]

Hardware based is of course better, but if we're comparing "hardware-based OTP" and "software-based u2f", the latter is better for practically everyone.