we just recently went through this. And here is what we discovered
https://support.yubico.com/hc/en-us/articles/360016614920-YubiKey-USB-ID-Values us a full list of the PIDs
I personally tried 404 to 407, and 405-407 all had the the HID interface descriptor. So even without otp, the u2f was an HID class.
As long as it was an HID device, I was not able to get it to show up in the
esxcli hardware usb passthrough device list
and I was not able to add it as a usb device in ESXi. Only 404 (CCID only) worked.
According to my notes, we were able to get this to work in VMware Fusion (Not ESXi):
usb.generic.allowHID = "TRUE"
usb.generic.allowLastHID = "TRUE"
# and sometimes
usb.quirks.device0 = "0x1050:0x0407 allow"
However, adding to the same to the .vmx files in ESXi did not work.
This would not be enough, as it was never listed in "esxcli hardware usb passthrough device list", so even if the VM allowed it, its not there to be allowed. So I tried following directions from here: https://blog.rylander.io/2020/06/26/Passthrough-USB-Keyboard-and-Mouse-to-VM-using-ESXi-V7/
However, I never got it to show up in "esxcli hardware usb passthrough device list", and was also unable to add it as a USB Device.
Summary:
In addition to all the other setting mentioned, I also edited /etc/vmware/config
usb.quirks.device0 = "0x1050:0x0407 allow"
I wasn't sure if that needed a reboot, so I rebooted ESXi, no dice
I then edited /bootbank/boot.cfg and changed the kernelopt line to
kernelopt=autoPartition=FALSE CONFIG./USB/quirks=0x1050:0x0407::0xffff:UQ_KBD_IGNORE
I wasn't sure if that needed a reboot, so I rebooted ESXi, no dice
and I repeated for 0x0406 and 0x0405, and none of them worked. In the end I could only get CCID only mode to work. Any way I can get this to work without disabling OTP/U2F mode?