[Fnoord]

> It seems an attacker with physical access still requires your password to unlock the disk. At that point, they'd need the Yubikey to login (assuming they haven't already decrypted the disk and taken your data).

Its just PAM (pam_yubikey to be precise). If they have physical access they can edit the requirement for Yubikey in PAM.

If there's FDE (FileVault) then I don't know. But I do know the PAM configuration must be read, and is therefore in r/w. It isn't in some kind of security enclave.