[laggyluke]

Yubikey is actually pretty "phishable", at least in the OTP mode. It will happily put the token into a phishing website (or literally anywhere else) as soon as you touch it.

It's also good to know that Yubikey's OTP tokens don't expire based on time, but based on a hidden counter that gets incremented with every issued token.

So if you've accidentally touched your Yubikey and leaked the token publicly, you just have to log out and then log back in using your Yubikey - that action will invalidate all tokens issued before this point.

[greggyb]

Yubikeys (or at least some models) can be configured with multiple different OTP implementations. Yubico's own OTP implementation behaves as you have described. It is not a guarantee that generating an OTP from a Yubikey means you have generated a Yubico OTP.