Trusted Third Party is a security hole, when your multisig keys are generated by a app you don't control, a server you don't control and a hardware device you can't reproduce you are not in control.
Discussion
gm nvk
Most Devs are un-concerned becuase most 'users' don't care and will trust what-ever.
I think we need a really simple, low level application for this that is easily validated, compiled and run on any os. Trusting browser extensions will never pass for me, I would rather trust buggy clients.