I am planning to apply for QES in my country, but I am concerned with the security robustness of the available options. The trust service providers usually offer to issue QES on local capsulated storage, such as USB token or smartcard, or offer a strategy that uses a cloud-based key vault. To my understanding, in all cases, the QES is additionally secured with a secret PIN, which has to be entered in the client when requesting authentication. Exposing the PIN to the system however worries me.
My concern is that the client devices, personal computer or smartphone, host customizable software environments with network facing components. Despite TPM/DRM/secure boot/digital software signing, they are still likely subjects to zero-day exploits or pre-patch exploits. In the case that they are compromised by some kind of malware, I am concerned that it would enable theft of the PIN and temporarily allow unauthorized transactions with it from the system. Assuming that the USB token is a challenge-response oracle device (correct me if my assumption is incorrect), not simply encrypted storage, I imagine that if it had some kind of acknowledgement, a hardware button, which limits the authentications that it performs and also had a keypad that allowed entering the PIN securely, it would have minimized the consequences from using infected client systems. Are such setups available or what is the closest solution?
I am not sure if the question is appropriate. I have asked on a different platform, and it doesn’t seem to attract responses.