I recently bought a YubiKey 4 and one of the first things I wanted to try out was securing the login to my MacBook Pro.
macOS Sierra re-introduced native support for smart cards, making it easier to set up and use them with macOS.
Following the setup guide for macOS Sierra provided by Yubico took less than 5 minutes (protip: you can
brew cask install yubikey-piv-manager).
It has some limitations – you can’t require the YubiKey to be present, and when present you can only set a simple 6-8 digit numeric passcode.
What this amounts to is that you can have a very long password for when the YubiKey is not present, and a much shorter, quicker to enter passcode when it is.
It works when logging in after logging out and when unlocking the screen but not from a restart or cold boot, which is only a slight annoyance since I don’t restart my computer that often.
My next step will be to try YubiKey PAM, which does allow you to require the YubiKey (althogh if you do this make sure get a second YubiKey for a backup) and will hopefully work from a restart.