It has come to my attention that there was a critical oversight in the Yubikey authentication plugin. If a Yubikey was paired with a different user's account, it was basically possible to log into any Yubikey-enabled account you wanted by entering that username along with a valid OTP. Pretty sad. That's been fixed, and the download links are automatically up to date because they point to the latest version in Mercurial.
The revision containing the fix is d109af008343.