As Yubikey token type, privacyIDEA refers to Yubico’s own AES mode. A Yubikey, configured in this mode outputs a 44 character OTP value, consisting of a 12 character prefix and a 32 character OTP. But in contrast to the Yubico Cloud mode, in this mode the secret key is contained within the token and your own privacyIDEA installation. If you have the time and care about privacy, you should prefer the Yubikey AES mode over the Yubico Cloud mode.

There are several possible ways to enroll a Yubikey token in privacyIDEA. We describe the methods in Yubikey Enrollment Tools. Redirect API URLs to /ttype/yubikey

To have a service query not the Yubico Cloud URL, but the privacyIDEA endpoint /ttype/yubikey, you sometimes need to redirect the default API URL via the local webserver. Yubico servers use /wsapi/2.0/verify as the path in the validation URL. Some tools (e.g. Kolab 2FA) let the user/admin change the API host, but not the rest of the URL. To redirect the API URL to privacyIDEA’s endpoint /ttype/yubikey, you’ll need to enable the following two lines in /etc/apache2/site-enabled/privacyidea.conf:

RewriteEngine  on
RewriteRule    "^/wsapi/2.0/verify"  "/ttype/yubikey" [PT]

If you use nginx there is a similar line provided as a comment to the nginx configuration as well.