diff --git a/hosts/default/variables.nix b/hosts/default/variables.nix
index de539a8..df1c4e9 100644
--- a/hosts/default/variables.nix
+++ b/hosts/default/variables.nix
@@ -54,4 +54,8 @@
 
   # Network host ID (needed for zfs, otherwise leave as-is)
   hostId = "5ab03f50";
+
+  # YubiKey serial numbers for yubico-pam challenge-response
+  # Run: nix-shell --command 'ykinfo -s' -p yubikey-personalization
+  yubikeyIds = [ "12345678" ];
 }
diff --git a/modules/core/default.nix b/modules/core/default.nix
index 10f6362..8910cfc 100644
--- a/modules/core/default.nix
+++ b/modules/core/default.nix
@@ -20,6 +20,7 @@ in
     (if vars.displayManager == "tui" then ./greetd.nix else ./sddm.nix)
     ./security.nix
     ./services.nix
+    ./yubikey.nix
     ./stylix.nix
     ./syncthing.nix
     ./system.nix
diff --git a/modules/core/yubikey.nix b/modules/core/yubikey.nix
new file mode 100644
index 0000000..9bc2b91
--- /dev/null
+++ b/modules/core/yubikey.nix
@@ -0,0 +1,47 @@
+{
+  pkgs,
+  host,
+  ...
+}:
+let
+  vars = import ../../hosts/${host}/variables.nix;
+in
+{
+  # Udev rules for YubiKey
+  services.udev.packages = [ pkgs.yubikey-personalization ];
+
+  # Smartcard daemon (for CCID / GPG smartcard mode)
+  services.pcscd.enable = true;
+
+  # GPG agent with SSH support
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+  };
+
+  # Yubico PAM — challenge-response authentication
+  security.pam.yubico = {
+    enable = true;
+    debug = false;
+    mode = "challenge-response";
+    id = vars.yubikeyIds;
+  };
+
+  # Lock all sessions when a YubiKey is unplugged
+  services.udev.extraRules = ''
+    ACTION=="remove",\
+     ENV{ID_BUS}=="usb",\
+     ENV{ID_MODEL_ID}=="0407",\
+     ENV{ID_VENDOR_ID}=="1050",\
+     ENV{ID_VENDOR}=="Yubico",\
+     RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
+  '';
+
+  # Useful CLI tools for managing YubiKeys
+  environment.systemPackages = with pkgs; [
+    yubikey-personalization
+    yubikey-manager
+    yubico-pam
+    pam_u2f
+  ];
+}