The key feature of security tokens is that it’s very difficult to extract or manipulate their internal state. A short numeric PIN enforced by a token is much more secure than a high-quality password whose hash is stored in a database: the token can rate limit PIN attempts and zeroize itself if too many attempts are made.