I still wouldn’t trust it because of homograph attacks.

Yeah. The huge legal distinctions between different ways of unlocking a device seem absurd. Comprehensive privacy legislation would help.

Authorities with a warrant can drill into a safe to get to its contents. That’s legally distinct from forcing someone to unlock the safe by entering the combination. It takes some mental effort to enter a combination, so it counts as “testimony”, and in the USA people can’t be forced to testify against themselves.

The parallel in US law is that people can be forced to unlock a phone using biometrics, but they can’t be forced to unlock a phone by entering a passcode. The absurd part here is that the actions have the same effect, but one of them can be compelled and the other cannot.

This is a terrible idea. It’s negligibly better than writing down the passwords, because it’s trivially easy to try every password represented on this card. Once someone has the card, your entropy is just two characters, which is the two characters you memorize for the site. In effect, you have a 2 character password.