Thank you for writing this great security plugin. Always nice when someone already wrote something I really need!
There is one issue I noticed though. I noticed that you call the yubikey API via the HTTP protocol - I don't really understand why Yubikey is supporting this protocol.
Since a OTP is going over this line I would really suggest to move this over to HTTPS to make sure that the OTP is not visible to anyone who is not supposed to see this information. When doing this please make sure you validate the SSL certificate provided by the Yubikey server. This can sometimes be rather tricky with the curl library.
Thanks again for making this plugin. And if you have any questions or need some help please feel free to contact me.