@LeighNeo -
TL;DR - it is unlikely that they will support Yubikey or other 2FA (U2F) for client initiated funds-transfers, etc.. in the future. Maybe OTP for direct, PP website logins I suppose, but kinda doubt it. Reason? They used to support them, years ago, then they removed them as a 2FA option.
Uber Long, boring, semi-technical answer -
Paypal did support Yubikey several years ago (2010? I don't recall when I first got mine). They continued to support my yubikey up until TODAY (Aug 25, 2017) - when I disabled my yubikey via Paypal-settings panel. Direct logins to Paypal website were typically without problems, but logins initiated from partner/vendor sites were very hit/miss - mostly miss. I am not referring to redirects to the Paypal website, but rather remote login and transfer of funds initiated from the vendor's website - these were/are very problematic for Yubikey 2FA Paypal users and likely the reason that Paypal discontinued support of Yubikey. Let me be clear, the issue was not with Yubikey or that technology - it was with Paypal's implementation of the vendor remote-login/txfr mechanism, i.e. login popup - just plain bad code, period. Either never designed to work with Yubikeys and failing to mention it, or ... yeah, s*** code. When I was unable to make a donation at a particular website, I logged in to paypal to temporarily disable my Yubikey, because I knew that was the reason that the login was failing. Anyway, while my intent was to temporarily disable it, because this website used the pop-up Paypal logins which in-turn initiate a corresponding paypal popup-login panel, to convey a seamless transaction experience I guess. These popups are not coded (written) to handle the Yubikey authentication protocol, i.e. they simply fail, with an invalid user/password error after you type the correct password when your 2FA option is a Yubikey. They just never prompt for the Yubikey UTF "tap" at all. So, while I intended to temporarily disable my Yubikey at Paypal's site, then re-enable it after completing a donation via a txfr/payment. Paypal allowed me to "disable" the Yubikey - with zero warnings that "disable" was really going to remove my Yubikey info/registration entirely. A sort-of forced deprecation of functionality/support. Very user-unfriendly, and in fact totally misleading and even disingenuous. So Paypal REMOVED my Yubikey registration entirely from clicking "Disable". Then, as you already know, Yubikey was not an option when I went to add it back as a 2FA alternative- only option is mobile/text #.
Paypal is a seriously wonky website - their "improvements" are usually regressions in aesthetics and usability, and they clearly need more talented designers and developers in their ranks. Of course, just an opinion, but from an experienced staff-level s/w dev. "Wonky" is as good a term as any to describe their site... maybe "klunky" too. The termination of Yubikey support was done very under-handedly as well; covertly. They continued supporting for direct login through their portal, but for some reason (too lazy? lacked the talent to implement the FIDO U2F protocol on their "site-to-site" implentation?), and so - without warning or any notification at all, they just removed Yubikey as a 2FA option. Seriously ready for a PP alternative about this time to be honest. So - since they were supporting it more than five years ago and removed that support, I wouldn't hold my breath. Just sayin.
Apologies to any designers or devs that I may have offended. I know that there are often times when management make such decisions unilaterally, either due to using contractors that "don't work out", to save a few pounds, dollars, pennies or etc.. So - I rescind my initial reaction of casting blame with the architects and devs.
HORN TOOT, or btw - when I first got my Yubikey, I grabbed all of their API docs available to partners and site-builders and wrote a sorta prototype/reference implementation to learn the basics (iirc they provide a reference authenticator). I implemented a very basic p2p authenticator/handshake that utilized a popup to invoke a corresponding (server-side) UTF-enabled dialog (i.e. "tap the Yubikey for your UTF code") to login & authenticate, then simulate a bank-transfer and return. It was non-trivial at first but pretty much worked in just over a week of part-time prototyping. While not uber clean or ready-for-GA, it could easily serve as a basis for the p2p Paypal login/funds-txfr mechanism that never seemed to work for UTF-enabled 2FA Paypal logins. Some sites which utilized such a popup-login provided for alternatively routing to a direct Paypal login screen - probably for exactly those circumstances - but most did not in my experience. Some sites still use that "go pay and then return" design.
Apologies for the "my-own-horn" toot btw.
