A sk- key with no user presence test to use and pin to update is pretty perfect in my book.. Anything less and the authentication can too easily be permanently stolen out of pointless soft protections any more and the decisions are overly complicated hoops for whatever they were supposed to deliver.