Using zx2c4 pass with a Yubikey 4. Passwords are GPG encrypted. The private key is on the Yubikey and cannot be read out. The Yubikey 4 is set to require a touch per password unlock. The only passwords at risk are the ones unlocked. At that point, the trojan could install a keylogger and have the same amount of success.
Losing the password store isn't a problem either. It has a git remote on a USB stick. There's a backup if it's ever lost.
This is interesting. I am not well versed on yubikey, but does it allow you to have a similar setup with other password managers, like keepass? (Meaning, one press per one password) Or is it just a substitute for typing a master password?
There are several integrations, but I don't have Google Play Services on my phone, so I only use what's available via F-Droid. See my other comment in this thread.
The touch setting is specific to OpenPGP keys. If you set it, it works that way for all uses of your OpenPGP key. You can turn it on to see if you like it. If you do, you can also set it to 'fix.' Once fixed, it can never be turned off again without deleting the private key and starting over.
There's an app for that. Android Password Store[1]. You can use a Yubikey Neo with NFC in combination with Open Keychain[2]. Both are available on F-Droid.
Which phone? If it is Android, you could root it and use the same commands. Else, if you don't want to root or are using iOS there is software available for LastPass and 1Password.
Losing the password store isn't a problem either. It has a git remote on a USB stick. There's a backup if it's ever lost.