2-factor auth: support Yubikey keys for OTP

[zladuric]

Hello,

It would be great if we could use Yubikey for 2-factor authentication.

The idea is that I can add my Yubikey on npm website (e.g. like on github), and then when I'm usually asked for Google Authenticator or similar, I'd like to instead use Yubikey, or an option to use a different 2FA method (e.g. Authenticator).

My use case is that Yubikey is always at my computer, and my office is in a basement, so no GSM signal, so my phone is often not around. That's why it's pretty inconventient for me to use 2FA at all. Also, I find it much faster/less intrusive to my workflow to just touch Yubikey when prompted, than fishing the phone out, unlocking it, opening Authenticator and entering keys. Additionally, I wanna keep my phone nice and clean and not have to install another app, even if it's a (relatively) trusted app like Authenticator.

Perhaps it would also be cool to have an option for multiple Yubikeys, but personally I just need want one.

[gcochard]

FYI there is a yubico authenticator app that will store the TOTP seed on the yubikey, and allow you to tap to get the OTP code. You should be able to store the same seed on multiple yubikeys if you save it elsewhere or store on both at once.

[dmfay]

Old issue but after the ESLint incident last week I think 2FA is on a lot more people's minds. Yubikeys are a lot more convenient than phones or redundant computers so it'd be great to have the ability to register one as easily as we can register an authenticator app through the site.