Currently, tokenring serves only as a single-factor authentication method; If you have access to the physical token, and it doesn't require a PIN or a biometric, then the only thing an attacker with physical access needs to do is to physically grab your key and tap the contact a bunch of times to exfiltrate your whole vault.
(For my own threat model and use-case, this is sufficient; I want to securely require user-presence verification on certain secrets so that PyPI uploads can't be done noninteractively, my physical threat model is addressed with FileVault and a 1-minute auto-lock whenever I'm in public. But for something more general, a passphrase would be better.)
It should be possible to mix in a KDF-derived key with the authenticator-derived key to protect the vault.
Currently, tokenring serves only as a single-factor authentication method; If you have access to the physical token, and it doesn't require a PIN or a biometric, then the only thing an attacker with physical access needs to do is to physically grab your key and tap the contact a bunch of times to exfiltrate your whole vault.
(For my own threat model and use-case, this is sufficient; I want to securely require user-presence verification on certain secrets so that PyPI uploads can't be done noninteractively, my physical threat model is addressed with FileVault and a 1-minute auto-lock whenever I'm in public. But for something more general, a passphrase would be better.)
It should be possible to mix in a KDF-derived key with the authenticator-derived key to protect the vault.