Interesting project.

I'm wondering how it works.  I assume with the regular client, it is hashing the passphrase and then verifying it?

What can you get back from the yubikey on success?  Cause if you only get back a generic success message, that doesn't seem that secure because attacker with access to your machine could modify your code and bypass the key.