[cromantin]

Unfortunately parent is right. What you describe is using generated one time passwords. But there is no way (to my knowledge) to incorporate 2nd string into it.

Ex: right now - myPass<boop the yubikey><long password from yubikey followed by linefeed>

with otp - myPass<boop><hashed and signed one time password that no nothing about myPass>

[kelnage]

Wow, I had no idea YubiKey offered that mode of operation. I had assumed it was purely used as a OTP. Do you know of any documentation for it?

[cromantin]

This was like 6 years ago :) If i remember correctly it was https://www.yubico.com/wp-content/uploads/2015/11/Yubico_Whi...

I had a blog post some time ago - https://varamashvili.blogspot.com/2012/09/using-yubikey-with...

I should note that currently i'm thinking to migrate to OTP and use brain-string (password that i remember) for filevault and mac login. I will try using OTP for sudo, maybe keychain, will try to add gpg subkey there and see how it'll go.