The standard in high-assurance applications is to present a PIN to the hardware token before it can be used, ideally through an out-of-band keypad.
In this context, it would be reasonable to have the Yubikey require a PIN entry from the computer. You could use the same PIN for all sites because it stays local; the relying party never handles it, only the Yubikey.
In this context, it would be reasonable to have the Yubikey require a PIN entry from the computer. You could use the same PIN for all sites because it stays local; the relying party never handles it, only the Yubikey.