Reading the documentation for Auth API (Auth API | Duo Security) I see that the supported second factor protocols are auto, push, passcode, sms and phone. The passcode option is defined as coming from Duo Mobile, SMS, hardware token, or bypass code, does this include the YubiKey 44 character string generated when touching the YubiKey capacitive button? If so, does the YubiKey need to be enrolled or registered manually by an admin? The “enroll” API endpoint seems to be desgined for OATH TOTP (returns a QR code). Any clarification will be appreciated.
YES - You can use YubiKey-generated OTPs with the AuthAPI.
YES - YubiKeys must be imported by Duo admins and assigned to users. End users may not self-enroll hardware OTP devices. Learn more here: Managing OTP Hardware Tokens.
Thank you @DuoKristina!