This sounds pretty good to me, this is therefore like a regular old password except it's a cryptographic key that I don't have to remember and it's secured by whatever device PIN or face unlock that the device has. I think this might have a chance to succeed. Unfortunately the UI popups they implemented are not good, they need to remove the "usb security key" option and hide it under an advanced options tab. Anyone who uses that is an expert, please only prompt for the default device verification, like Windows Hello or face unlock on an iPhone.

Also the fact that Chrome by default prompts for a QR code + mobile signin flow is a bit crazy to me, it seems they are very confident that everyone who has a desktop wants to login via phone. Which makes no sense to me, do I really want to use my phone to login to all my desktop applications? I don't think so, maybe younger people who only have laptops + phones do this but still.. why would this be the default, surely Windows Hello or whatever MacOSX uses on desktop is still faster than picking up my phone constantly. I tried it and I was very surprised that it almost worked flawlessly. It asked me to automatically turn on my bluetooth, it connected to my PC's bluetooth within seconds and actually created a working login for my desktop via my mobile phone. It's impressive that this worked... except for the part that the "sign up" popup on desktop never went away automatically!

I mean, here's the thing, I already don't have to worry about a site's shitty security practices because I'm using a random password for each account. Sure, my email could be leaked, but it's available on my CV anyway so, uh, congrats?