I’m glad to see them trying and I really do want to see competition in the digital game storefront space. However, I have zero trust in EA to not try and fuck me as a customer at some point. So ya, no matter how good of a fee structure they offer devs, they will continue to lack the one thing devs actually care about: customers.
Also, as a Linux gamer, it’s really tough to consider a store front which doesn’t offer a Linux client. Sure, I might be able to get their app running in Wine. But, at that point, maybe I should just go support the company which is supporting me.
They can be, depending on the types of threats you expect to face. If physical theft is an expected threat, then a hardware token runs the risk of being stolen and abused. For example, your attackers might just buy off cops to rob you and take your stuff. Having the physical device locked with a PIN/Passcode can mitigate this threat somewhat. But, that just becomes another password the attackers need to figure out.
On the other side of the coin, TOTP applications have started offering Cloud Backup options for accounts. What this demonstrates is that it’s possible to move those accounts between devices remotely. A hacked device means those codes may be exfiltrated to an attackers device and you will be none the wiser. Good security hygiene and device hardening can help mitigate these issues. But, it also means you need to a lot of trust in a lot of third parties. Also, you need to be unimportant enough for an attacker to not burn a 0-day on.
Ultimately, security is all about trade-offs. If you worry about physical security and don’t expect to face a threat which might compromise your phone, then a TOTP app might be a better option. If you are more worried about a hacked device being used to leak credentials, then a physical token may be a better choice. Each way you go has some ability to mitigate the risks. PIN for a physical token and device hardening for TOTP. But, neither is a silver bullet.
And, if your threat model includes someone willing and able to engage in rubber hose cryptanalysis, then you’re probably fucked anyway.
Ya, it’s a weird space that you cannot be legally forced to divulge a password, except in cases where the content of the drive is a “foregone conclusion” (as defined by the US Supreme Court). But, they can absolutely collect biometric markers (including forcing a fingerprint scan).