YubiKey is a line of security keys manufactured by Yubico. They are hardware-based 2FA devices designed to protect access to computers, networks, and online services that supports one-time passwords (OTP), public-key cryptography, and authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols. They come in a handful of form factors, but the key feature you need is on all of them: Someone has to be there - in person - to touch the button and release the key, or you shall not pass.
There are a lot of things made for these keys, but the two main packages you are looking for are the cross-platform YubiKey Manager and Yubico Authenticator.
There are all sorts of official tools for various other things you can bolt your YubiKey into, like your login screen and enterprise networks.
In Linux, you can use Yubi passwordless authentication on the sudo and su commands (and others). You can also use it in 2FA mode, where you will be required to enter your password and touch your Yubikey. Instructions for both are outlined below:
First, make sure the prerequisite PAM packages are installed. On Debian/Ubuntu you can grab them all with apt. You may need to hunt them down yourself on other distros.
$ sudo apt install libpam-u2f libpam-yubico pamu2fcfg
mkdir ~/.config/Yubicopamu2fcfg > ~/.config/Yubico/u2f_keys to add your Yubikey to the list of accepted Yubikeyspamu2fcfg -n » ~/.config/Yubico/u2f_keyssudo nano /etc/pam.d/sudoauth sufficient pam_u2f.so cue [cue_prompt=Tap key to continue…] before @include common-authauth required pam_u2f.so cue [cue_prompt=Tap key to continue…] after @include common-authsudo echo SUCCESS in a second terminal window. If it works, you can close nano. If it doesn't work, you did something wrong - Revert your changes to pam.d/sudo and try again.
You can make these same changes to other PAM configuration files while you are at it. Repeat Step 3 on /etc/pam.d/su and /etc/pam.d/sudo-i to enable Yubikey authentication on those commands as well!