That's fair, but its also slightly different from your original proposal as it now explicitly requires custom dedicated hardware. You originally just stipulated "hardware assist" and allowed for "trusted desktop" or other otherware (e.g. smartphone/tablet/etc..)
It doesn't require the dedicated hardware, it's just an option (that doesn't exist yet...). I think it's likely a better option than products like the Mooltipass.
I use this approach currently, since I basically trust my desktops. I can also ssh to a server I trust, which is capable of doing it. You could do it now on a smartphone, but that's a tough platform to lock down. If you're desperate, you could find a website that can do it for you (googled quickly): http://pajhome.org.uk/crypt/md.... Regardless of full desktop, smartphone, or keyfob, the general characteristics are always the same: never storing secret, never directly performing authentication, no storing secure keys (although they could be added as another layer).
You definitely never need to worry about compromised sites:
hashlib.sha256('PrivateSimplePass+OnlinePoker.com'.encode('utf-8')).hexdigest[:16] = '2afd111a2ddde285'
When their site gets compromised, your password needs to change:
hashlib.sha256('PrivateSimplePass+YourSecuritySucks'.encode('utf-8')).hexdigest[:16] = 'fead5a3bbde90be3'
I do agree that a password safe combo would be the best option, since it's just not important to really lock down every password.