As Yubikey token type, privacyIDEA refers to Yubico’s own AES mode. A Yubikey, configured in this mode outputs a 44 character OTP value, consisting of a 12 character prefix and a 32 character OTP. But in contrast to the Yubico Cloud mode, in this mode the secret key is contained within the token and your own privacyIDEA installation. If you have the time and care about privacy, you should prefer the Yubikey AES mode over the Yubico Cloud mode.
There are several possible ways to enroll a Yubikey token in privacyIDEA. We describe the methods in Yubikey Enrollment Tools.
220.127.116.11.1. Redirect API URLs to /ttype/yubikey¶
To have a service query not the Yubico Cloud URL, but the privacyIDEA
/ttype/yubikey, you sometimes need to redirect the default
API URL via the local webserver.
Yubico servers use
/wsapi/2.0/verify as the path in the
validation URL. Some tools (e.g. Kolab 2FA) let the
user/admin change the API host, but not the rest of
the URL. To redirect the API URL to privacyIDEA’s endpoint
/ttype/yubikey, you’ll need to enable the following two
RewriteRule "^/wsapi/2.0/verify" "/ttype/yubikey" [PT]
If you use nginx there is a similar line provided as a comment to the nginx configuration as well.