I've a yubikey4 but i'm not sure how/why i should use it. I get the 2FA case, where it provides the One Time Password to login in some services, sort of what the phone does with the authy app (or am I wrong?). But, what about the ssh access? Should the key be used to decrypt the ssh key when accessing a server? so that, if i grab anycomputer i can login on my server if I've the yubikey with me? if so, how should this work and how can I set it up?
You can actually store the key you use for SSH authentication on the Yubikey [1]. The main advantage is that the key never leaves the device, so even if your computer is compromised, your key is still safe.
Same thing goes for anything else involving GPG keys - email, signing git commits or tags, software releases, etc.
I don't personally use it for OTP. I do use it for services that support U2F (which is different from OTP, and has the main advantage of being immune to phishing).
Lets go threw it. Yubikey supports a number of different 2FA workflows. It supports TOTP (together with a phone), HOTP, Yubico OTP (that is there own standard based on HOTP) and of course most importantly U2F. U2F the new and improved 2FA standard that gives you interesting things like phishing protection.
It can also be used to issue a static password, and it can also be used in a ChallangeResponse mode (you send something it and it will get hashed). Both of these can be used to do decryption while booting for example.
Now lets get to the more advanced stuff. Yubikey is both a GPG Smartcard and a PIV Smartcard. Essentially this allows you plug in your Yubikey and then automatically your GPG and SSH keys will appear as if they are on the system. If your program, for example Thunderbird or SSH, tries to use the private key, it will require a PIN.
This allows you to have no key material on your computer. If you are hacked the attacker has no access to your private keys (and hopefully thanks to 2Fa not to many of your accounts). Even if you lose the keys themselfs your keys will probably not leak.
Depending on your situation and security needs you will want this stick either always plugged in your machine, or you want to carry a stick around on your keychain.
As for how to set it up, Yubico has lots of documentation.
I wrote to you via the keybase tool. I've setted up the yubikey, copy the Access Key to the yubikey but the ssh-add -L does not list the key from the yubikey
