Hardware
YubiKey unlock
fd0 can use a YubiKey PIV slot as an unlock method. The slot private key stays on the device. Build fd0 with -tags=yubikey.
Enroll
$ fd0 auth add --yubikey $ fd0 lock $ fd0 unlock --method=yubikey
Multiple readers
If more than one compatible reader is present, set FD0_YUBIKEY_CARD=<substring>. Without it, fd0 refuses to choose a card silently.