I have a Ledger Nano S that I use for cryptocurrency and it does basically this. It won't sign transactions unless you approve them from the device, and the little screen on the device shows the address(es) to which you're sending.

https://www.ledger.com/products/ledger-nano-s

It's $100, which is probably too much for your average user, but cheap enough that it's got to be feasible for a U2F kind of thing in a few years.

I guess even the addition of the screen, though, kind of necessitates using a cord so you can see that screen, which makes it less clean than my Yubikey Nano (which is far less obtrusive). But I think we're getting closer.

Thanks. Yes, this is something what I think of. Does it show on the screen what operation you confirm with U2F? Or just "U2F authentication"? But cord makes it far less convenient unfortunately.

I use it for gpg, ssh(gpg-agent) and u2f. These are official applications that you can install on the device that does the above. It doesn't show the operation, just the website trying to access.

I'm not sure if it supports U2F. If it does, I haven't used it. It just seems to prove that what you were conceptually describing can exist, and at a not-completely-unreasonable price point.

Ssh and gpg sadly doesn't display what requests it, might be a protocol limitation. Same deal for FIDO

The screen has to be run by the crypto chip if you want it to be properly 'secure' and most can't do that. At least not the ones who you can buy of the shelf unfortunately.

If you have malware on the PC you can still be MITM'd when you actually, say, access your bank.

Not if the encrypted data is displayed by the crypto chip, via a round trip between the bank and the chip (encrypted). Yes, technically it can be done, but this requires physical access to the device.

Ledger and Trezor have a display, though I don't know whether their U2F UX is any good.