I have a YubiKey smartcard for challenge-response authentication with several personal online accounts. With online accounts, the benefits of two-factor authentication are straightforward: only someone with both my password and my physical key can sign in to my accounts. Smartcards are better than SMS-based challenges because access to my phone number is not sufficient for access (and apparently phone numbers are a weak link in this regard).

macOS Sierra supports using smartcard keys for signing in to a Mac (Yubico docs). I don't connect to my personal Mac laptop remotely, and I use the macOS built-in firewall to only allow certain programs to accept incoming connections. I notice that auth challenges for things like unlocking the screen, installing software, and changing preferences will use the key. I prefer to use the nub-style Yubikey that stays in my laptop's USB port, which means anyone with physical access to the laptop has the key.

Are there any benefits to using YubiKey PAM with macOS Sierra on a personal laptop with the firewall enabled? Does this provide an extra layer of protection against remote attacks, or am I equally covered (or equally vulnerable) without it? With the smartcard left in the slot, is PIV auth only useful if remote login is available or auth is remote-managed?