Prerequisites:
yubikey 4
pam_yubico

Optional:
sxlock

Install pam_yubico.
Add on top of /etc/pam.d/system-auth:

auth    [success=1 default=ignore] pam_succeed_if.so quiet user notingroup yubikey   
auth    required pam_yubico.so mode=challenge-response   

Plug in yubikey and run:

sudo ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible   
sudo groupadd yubikey   
sudo usermod -aG yubikey username   
ykpamcfg -2 -v   

Yubikey will be required for login and to unlock the screen if screen locking tool supports PAM.