Let me just add though - that even in this mode, if your PC is compromised you are not safe, as the produced master key could still be captured. The device won't do the signature, it will just produce the master key, which can be captured on a compromised PC.
However if the signature happens on another device (e.g. Trezor / mobile cell phone) it is far less likely that it will get hacked.
Just to add to what bitmeat said, all of these
supposedly MFA schemes being recommended in this thread are just tiny marginal improvements in security that are insignificant compared to the true MFA security provided by multisig. The multisig security necessary can only be achieved when the BitShares client itself has been upgraded to implement those features. Then, a transaction can be signed by different devices each storing the private key for their part of the signature on the separate devices. The probability of all of the devices being simultaneously compromised is low, which is what provides the security. This is especially true when some of the devices are used specifically for these signing purposes only and do not have an internet connection. An example of such a device would be a Trezor or, more realistically for our purposes, a separate laptop with internet connectivity disabled that boots a live Linux environment from a read-only medium (this is also why offline transaction signing features are necessary for the client).
Here is an example of how the Yubikey may not protect you if you have malware running on your computer. You use the Yubikey to essentially auto-type a secure passphrase into Keepass and unlock the password manager. You then need to copy your BitShares wallet password from Keepass and paste it into the BitShares client to unlock it. You could have malware running on your computer that simply logs a copy of everything you copy and paste while using the OS. It could then upload the changes to this log to the attacker's server whenever it has internet connection. The malware could also scan your hard drive for something that looks like your Keepass database and your BitShares encrypted wallet private key and upload those to the server as well (worst case scenario the attacker could do this semi-manually with the help of screen captures after they are informed by the malware that the victim has cryptocurrency apps installed on their computer). With the BitShares encrypted wallet private key, the Keepass database, and the Keepass master passphrase which can be trivially bruteforced using the list of copied text from the clipboard log, the attacker could get access to the decrypted BitShares wallet private key and thus access to all of the funds held by all BTS accounts available via the BitShares wallet.