Prerequisites:
yubikey 4
pam_yubico
Optional:
sxlock
Install pam_yubico.
Add on top of /etc/pam.d/system-auth:
auth [success=1 default=ignore] pam_succeed_if.so quiet user notingroup yubikey
auth required pam_yubico.so mode=challenge-response
Plug in yubikey and run:
sudo ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
sudo groupadd yubikey
sudo usermod -aG yubikey username
ykpamcfg -2 -v
Yubikey will be required for login and to unlock the screen if screen locking tool supports PAM.