> You still type a PIN in for a CAC / PIV. The readers used to come standard on many laptops (the card was inserted and stuck out a bit over a centimeter, barely noticeable) Now they’re a $10-20 accessory, not terribly pricy but annoying if you move a lot with your laptop.

The PIN is not a shared secret. You don't type anything in that goes to the service on the other end. The PIN (if used, and it often is) just enables the card. The card does the entire transaction with the other end using a key in the card. A key that is never sent out of the card, not even during account setup.

> As far as token fobs with OTP, it depends. The RSA hack affected all customers and allowed the hackers to generate the OTPs.

Those aren't TOTP. I didn't know those RSA fobs (mine was actually credit card shaped) were even used anymore. They basically work like a rolling code garage door. Either way there is a shared secret, when the fob was created a key was either sent into it or out of it. The other end of the connection uses that shared secret to generate the same sequence as the card is generating.

With a CAV/PIV the private key needed to authenticate is neither sent into nor out of the card ever. It's not stealable with a hack by the manufacturer or anyone else. No one else at all has the key. In theory it can be extracted from the card. They try to make it difficult though. You operate under the theory that the key didn't exist before you generated it. And after that you've had sufficient custody of the card that no evil maid had time to get it out.