I'm surprised they're willing to trust a mouse click on a notification. (Can't that be simulated by malware by using the Accessibility APIs?) I was expecting a U2F authenticator that wanted a Touch ID touch first.
Malware is a game-over scenario either way. It can simply steal your session keys or send requests from your browser with an active session.
That said, there seems to be some sort of TouchBar integration[1]. It doesn't currently store the keys in SEP, but that might become an option at some point[2].
