The Yubikey is a small material token shipped by Yubico. It sends an OTP, which is validated against Yubico server.
You need Auth::Yubikey_WebClient package.
You need to get an client ID and a secret key from Yubico. See Yubico API page.
In the manager (second factors), you just have to enable it:
$_2fDevices =~ /“type”:\s*“UBK”/s
, else Yubikey will be required even if users are not registered. This is automatically done when “activation” is simply set to “on”.
If you don't want to use self-registration, set public part of user's yubikey in Second Factor Devices array (JSON) in your user-database. Then map it to the _2fDevices attribute (see exported variables):
[{"name" : "MyYubikey" , "type" : "UBK" , "_secret" : "########" , "epoch":"1524078936"}, ...]
If you have enabled self registration, users can register their U2F keys using https://portal/2fregisters