Further OS hardening
There’s a couple other options we can set to further improve OS security, and these can be found in System Preferences, in the Security & Privacy pane.
First is to set Require password immediately so that you are always prompted to authenticate from the screensaver or from sleep. The second setting is found by clicking the padlock, then the Advanced button and it’s the tick box marked Turn on screen saver when login token is removed. This is shown below.
It’s worth noting this option only appears after a smart card device has been paired to a macOS user. The combination of those two settings will cause your Mac to automatically lock and immediately require the password (and only from the Smart Card!) before letting you back in.
Final Words
That neatly locks your Mac to only allow authentication from the PIN on your Smart Card for login and screensaver. A lot of this stuff is provided for information, and at some point I’ll probably think of a script or two to automate most of this. However this should be enough to get you all going for now.
Oh and don’t forget to backup your system before starting! 