It depends on how you're using it, but the hardware token generally requires a pin for most operations. I think the real argument is that hardware tokens absolve the web host/service of responsiblity for passwords. With tokens I'm just presenting the challenge given a public key. Nobody can hack all the tokens at once like they can a database full of passwords.