It may not be the purest usage mode but even a permanently inserted YubiKey protects you when your password got sniffed on the network or by a keylogger.
Moreover the YubiKey also acts as a PGP smartcard, giving you a private key (for e.g. SSH) that an attacker can't extract even if they obtain root on your laptop.
As much as I would like a "Retina MBA", the lack of a separate USB port is a dealbreaker for me too.
As long as the machine is on, can't the attacker ask the YubiKey to generate signatures on their behalf?
This is similar to standard SSH agent forwarding attacks. A sysadmin connects to a malicious server via SSH. If the sysadmin turns on agent forwarding, then "malicious root" can remotely ask the sysadmin's agent (running on the sysadmin's laptop) to authenticate to any other machine that accepts the sysadmin's public key. The malicious root can log in to any other server the sysadmin has access to, as long as the sysadmin still stays connected.
As long as the machine is on, can't the attacker ask the YubiKey to generate signatures on their behalf?
For the 2FA OTP portion: No. The button needs to be physically touched.
For the PGP (ssh) portion: Yes. (but again, the attacker can not obtain a copy of the private key, that's the critical difference to your scenario)
That's why (at least for critical servers) you should combine the two. That way an attacker can at most piggyback your connections. He can not initiate his own because he can not touch the button.
No, the yubikey can not be activated from the OS, just from the touch capacitive sensor embedded in it. It can be re-programmed, but I've not seen a way to trigger a generation, even from the re-programmer.
