I added YubiKey OTP support to my hubzilla installation. It currently only authenticates "admin" areas of hubzilla. So if the user is admin, they must have logged in using the OTP to access any admin function in Hubzilla. Logging into the account is possible without the OTP. It could be expanded to require OTP as 2FA (or as a secondary primary login) for the account.
I've modified the hubzilla code, it's not something that would probably be good for widespread use - but I could rework the code into a module or add-on, instead of hubzilla code changes. IF anyone else is using the YubiKey. (could also work with other smartcards / keys I suppose).