I'd like it to actually be hardware with tamper evidence (or response, even better), unlike trezor. That makes it a lot easier to use a weaker password or biometric to authenticate with it, safely.
The unknown thing is whether it should communicate directly to the computer, or have all communications mediated by the user. I'd be more comfortable if it only had one-way communications capability (user enters something on a device-local keypad, it sends data transmit-cable-only back to the computer), but that's not going to work with mobile, probably.
You could emulate a keyboard, and have the Bluetooth/USB stacks implemented in dedicated chips, with a 1-way serial connection from the main MCU.
But it's pretty nice to be able to hit a keyboard shortcut and have it figure out which password to fill rather than scrolling through a list. It would be pain to enter all the site names without management software too.
The unknown thing is whether it should communicate directly to the computer, or have all communications mediated by the user. I'd be more comfortable if it only had one-way communications capability (user enters something on a device-local keypad, it sends data transmit-cable-only back to the computer), but that's not going to work with mobile, probably.