[LIV2]

Usually these are configured to be the private key, not unlock the one on your computer. This prevents your key being hijacked (every signing operation requires a physical button press on the key) and prevents its theft.

If an attacker can exfiltrate your private key they can probably keylog your passphrase & your VPN details

PIV/GPG smartcard solves he former and 2FA solves the latter so something like a yubikey/nitrokey gives you both in one device

Anecdotally I do have a friend who had his private key & passwords pilfered which was noticed when someone tried logging in from some other country.