Careful with absolutist statements :)

macOS can in fact be configured to use a third party idp, including interactive elements, on loginwindow.

So, you could build your own through the ExtensibleSingleSignOn and Extensible Enterprise SSO macOS plugin API. You would do touchid, and then have it pop your own custom window/app, providing a prompt through that API, except it's just a hardcoded value (or some shit idk)

https://youtu.be/ph37Yd1vV-c

So yes, macOS can in fact do that. Just not out of the box. I strongly believe that it is a glaring omission, or at least something they should gate through lockdown mode. idk!

If you create a piv certificate on a yubikey and just plug it in while logged in, it automatically registers it as a login method.