I think @jonah is correct on this.
under 5.1.6 Single-Factor Cryptographic Software
NIST says
A single-factor software cryptographic authenticator is a cryptographic key stored on disk or some other “soft” media. Authentication is accomplished by proving possession and control of the key. The authenticator output is highly dependent on the specific cryptographic protocol, but it is generally some type of signed message. The single-factor software cryptographic authenticator is something you have.
Seems like Yubikeys and other hardware tokens fall into something you have.
Granted my understanding of these things is pretty limited…
EDIT:
I think 5.1.7 is more relevant. 5.1.6 is “soft” media whereas 5.1.7 is hardware devices.
A single-factor cryptographic device is a hardware device that performs cryptographic operations using protected cryptographic key(s) and provides the authenticator output via direct connection to the user endpoint. The device uses embedded symmetric or asymmetric cryptographic keys, and does not require activation through a second factor of authentication. Authentication is accomplished by proving possession of the device via the authentication protocol. The authenticator output is provided by direct connection to the user endpoint and is highly dependent on the specific cryptographic device and protocol, but it is typically some type of signed message. A single-factor cryptographic device is something you have.
same result though…