> How do you prevent malware running on the pwned laptop from asking for an ephemeral cert to be issued?

If you have malware capable of code execution, restricting the ability to issue one command is not going to be a meaningful control, especially with something like a physical touch which most users are just conditioned to accept, or can be trivially phished into accepting.

> plenty of time for malware to ship the cert back to a command-and-control server.

If your infrastructure cannot distinguish legitimate traffic, or you do not have a defensible network perimeter, again a physical touch is not going to be meaningful; it is not the panacea you are looking for.

I'd be fished in a heartbeat. I have to tap my key like 10 times every morning and then several times more throughout the day due to random logouts. Could be my IDE, a broken SSH connection or internal site that randomly decides to request it again and of course the popup gives no indication to where the request came from. It's ridiculous.

I think things would be more secure with fewer prompts because i wouldn't be conditioned to just tap every time it pops up.

> This is the key advantage of hardware keys, the fact that the physical press is required prevents the keys from being exfiltrated from the machine by malware.

Secure elements prevent exfiltration. Touch requirements prevent on-device reuse by local malware.