The hardware is open-source, you can theoretically update the firmware so you're not vulnerable if a researcher finds a bug after your purchase, there's currently no support for getting it to act as a keyboard and type the password for you AFAICT, to name a few.

I don't think this is true in the general case. Most Solokeys come in a "locked" form-- they will only accept firmware updates that are signed by the manufacturer. You can buy a "hacker" variant that is unlocked (meant for those that want to tinker with the firmware), but if you were to use one of those you're giving up security against someone loading malicious firmware onto your device.

This is probably the right tradeoff for most users. Solokeys has done a great job of providing continuous support for all of their products, and their software stack has been open source since the beginning. That (combined with the low price) makes them my first choice for a hardware security token.

> You can buy a "hacker" variant that is unlocked (meant for those that want to tinker with the firmware), but if you were to use one of those you're giving up security against someone loading malicious firmware onto your device.

You can't set it to wipe when updated?

I have no firsthand information, but reading https://github.com/solokeys/solo

"Solo Hacker can be converted to a secure version, but normal Solo cannot be converted to a Hacker version."

Yubikey supports fido2, piv like this one but also supports openPGP so if you need that it's not a replacement.

It's more open source though. Yubikey open sources some components like that PGP applet but not all.