As a fallback I want to use the Google Authenticator. It is needed when you need to use a ssh client on the phone for example.

YubiKey Editions
Standard, Edge or NEO are usable for PAM OTP authentication. The cheaper U2F only security key will not work.

download YubiKey Personalization Tool and start it
configure Yubico OTP
Quick
select slot 2
Regenerate
write configuration
Upload to Yubico

apt-get install libpam-yubico libpam-google-authenticator ntp
service ntp stop
ntpdate -s time.nist.gov
service ntp start

login with your user account

add your public identity to the authorized_yubikeys
mkdir ~/.yubico
vi ~/.yubico/authorized_yubikeys

trinitor:vvaabbccddee

Download a mobile phone app like the HDE OTP Generator or Google Authenticator
run “google-authenticator” in a shell
complete the steps to create the file ~/.google_authenticator

replace all auth lines in /etc/pam.d/sshd
sudo vi /etc/pam.d/sshd

# Standard Un*x authentication.
# @include common-auth
# [...]
# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so
# try YubiKey fist and if it fails try the google authenticator 
auth   [success=1 default=ignore]   pam_yubico.so id=22748 debug
auth            required        pam_google_authenticator.so 
auth            required        pam_unix.so nullok
# [...]

Keep the ssh connection open and use new terminal window to test the connection. Don’t lock yourself out.
ssh trinitor@servername

YubiKey for `trinitor': <press YubiKey for 3 seconds (slot 2)>
Password:               <enter user password>

ssh trinitor@servername

YubiKey for `trinitor': <just press enter (enter invalid key)>
Verification code:      <open OTP app and enter key>
Password:               <enter user password>