Yeah, this seems like old news - cookies can be stolen, and FIDO doesn’t change that unless you are prompting the hardware token for validation with every request (which isn’t feasible for most things, though might be a good idea for sensitive actions).
Desktop: Windows XP
Linux: Probably Raspbian on a Pi 2 b
Tech has come a long way since then lol