I think you have the wrong perception on how YubiKeys add to your security.
2fa means you use different proves. A password is proof that you know a secret. A YubiKeys outputs proof that you are in possession of this device. The tapping is there to avoid rootkit based exploits (e.g. streaming the data to another device on demand).
Adding a password to you YubiKeys does not add anything to this. It does not strengthen this.
to clarify: the biggest concern for these devices is that the prove of ownership is leaking. And an easy way would be to copy the device.
Anything that copies the identity (private key) to a physical key is broken because the identity could be copied before it is on the key.
That's why you create a cryptographic keypair on the device, and the device does not offer to extract the private key.
It must be impossible to clone the key. When you read articles that claim 100% phishing failure due to these YubiKeys then that's because phishing is copying secrets. And you simply can't for the key. You have to physically steal this device.
And then there is also a human aspect. If you have something that is convenient and 100% successful then don't make it less convenient. You risk that people try to circumvent it.
I tried to do a startup based on an idea like this, but it’s difficult because you essentially have to have keyboard input into the device, which means you now have to trust the keyboard. And once you have a passphrase it is confusing as to whether you should make a 2FA device or a password manager. But it is possible, on a technical level, because embedded devices now have enough RAM to run “effective” versions of argon2 or scrypt or whatever may be preferable at this time.
Yes. It’s poor practice. The FIPS 140 standard has been chip and pin for 30 years now. Maybe ‘somebody’ doesn’t want this to be in common use. It’s absolutely standard in any serious security environment, fully compatible with active directory, enables unhackable web logins via SSL in Apache, and the device costs less than $5. Its atrocious that web sites still use logins that any insider can steal, or any outsider can spoof. U2f is better but not good.
As said elsewhere, for U2F/Webauthn, the biggest threat is creating a duplicate of the key rather than third parties using the physical key. The idea is that physical security plus needing to know the account password should be sufficient security for that use case. Yubikeys in smartcard or FIDO2 mode do use PINs or passwords to protect the private key, since in that case the private key+PIN are the two factors.