Re: H/W vs S/W vs cloud
> which feels to me like it almost has vulnerability built in from the get-go.
Not intrinsically: a cloud service can be built to be much more secure than most people can build their own.
The weakness will be in how you authenticate to the cloud service, to get it to sign something. And as long as that has some sensible approach (e.g. U2F token) then it should be pretty good.
Basically it means you push the cheap U2F token to the end user, and the expensive HSM module into a centrally managed service.
Biting the hand that feeds IT
