If I have a YubiKey/other hardware key, then I can add that as a U2F device and restrict logins to require that hardware key to be present when logging in to web sites with my username and password.
However, if I add "This Device" as the U2F device (when registering U2F devices at a web site), what are the drawbacks?
I assume that now I can only log in with that particular computer, and that the TPM module or Apple T2 security chip has an embedded private key that cannot leave the device.
At first glance, this seems just as a good as a YubiKey, without having to spare a USB port. (Of course, as a precaution, I would still register other devices or print out backup codes in case of loss or damage to the computer).
However, with "This Device" chosen, I tried logging in using a different Chrome profile, and I was not able to authenticate using "This Device".
Does this mean that although it says "This Device", it really means "ONLY This Chrome profile, and ONLY on this device, and if I reinstall the OS on this computer I lose access"?
I assume Chrome will not allow me to log in using the same profile on a different machine, and use that other device, because that device is not registered? And Chrome won't use a software trick to allow the second device to share the same U2F device credentials?
I assume the private key is forged into the T2 chip such that it can never be extracted? Or do any side channel attacks or exploits exist for a T2 chip that would not apply to a YubiKey? Is a YubiKey significantly more secure than the T2 chip for any reason?
Are there any other disadvantages I've not thought of?
It'd be nice to not have to spare a USB port for a hardware key if I already have the T2 chip...
