I've spent a lot of my life around Toxteth and Moss Side, and that doesn't affect my threat model relevant to phishing and FIDO. Mugging is probably less of a threat than break-in anyway, as far as compromised hardware goes. You separate the token when it's at risk, and the setup procedure claimed for FIDO, to the extent it exists, seems about as easy as it could be. It's a key. People can understand physical security to a reasonable degree, and typically not abstract computer security.