YubiKeys are cheap, tiny, nigh indestructible hardware-based second factor authentication devices.
They have a lot of mode and can support traditional TOTP and whatnot, but one mode is particularly nice because it's very automatic and works out of the box for all Yubikeys: the 'Yubikey OTP' configuration.
Essentially, you program a Yubikey and upload the verification key to the Yubico Verification Service (you can run your own too, which is a bit involved). This encrypts the key and stores it in a hardware KSM on their servers, and you then basically use their API as an oracle to ask it to decrypt OTP requests and give the yay-or-nay. So it's all quite easy to integrate into third party applications. Note: all Yubikeys come with a 'slot' configured for the public validation service out of the box, so by default you can just 'plug and play' with no configuration. However, users can optionally reconfigure their keys however they want (and later re-upload a new key to the validation service if they need to).
I've actually implemented support for this in my own private Phabricator instance (it wasn't too hard) - Yubikeys, aside from being nice and cheap and easy, are actually a lot faster to identify with than a traditional TOTP app too, especially with the Yubikey Nano. At any point I can just tap my USB port to input a MFA token - and it even hits enter for me. (Also - to me, at least - it's a lot more convenient and less troublesome to pay for a $20 redundant piece of plastic for OTP logins where affordable.)
I'm wondering if upstream Phabricator would be willing to support this/merge it. Naturally, I won't be heartbroken if the vote is a resounding "no" (it is not very difficult at all to maintain), because it's very easily addable as a library. But, the patch is actually quite small (one Yubico.php file and a small Phabricator class) and works OOTB with little effort. If the answer is "no", we can wontfix this and I'll publish the library elsewhere and link to it, so people can at least find it if they search.