I can't speak for them but that's exactly what I do with a Yubikey on my personal keys & work badgecard lanyard. My rationale is that the physical key prevents remote attacks since they can't use the token and anyone who finds/steals my keys won't have the password. Scenarios where the attacker has both aren't on my personal radar — that's the kind of situation where you're looking at things like duress codes.
