It’s mostly the physical element to verify the user. For CAC/PIV, it’s an ID badge that also has RFID that some buildings use for building/room accesses, so basically IT security + corporate badge in one.

The RSA fobs are at least as secure, I assume, based on how I’ve seen both used.

https://www.nist.gov/identity-access-management/personal-identity-verification-piv