diff --git a/README.md b/README.md
index c547e66..185e152 100644
--- a/README.md
+++ b/README.md
@@ -31,4 +31,14 @@ Rename routes.txt.sample to routes.txt or create an empty routes.txt and add sub
 sudo -E ./run-vpn.sh
 ```
 
-In case of disconnect, it will try reconnecting after 3 seconds. You can stop it by pressing `CTRL+C` or killing the script.
\ No newline at end of file
+In case of disconnect, it will try reconnecting after 3 seconds. You can stop it by pressing `CTRL+C` or killing the script.
+
+### Yubikey
+
+Yubikey can be used for safe storage of TOTP seed. Configure TOTP in Yubikey Authenticator app or `ykman oath` if using command line. Then use `ykman oath list` to get the name of the entry and set that name in `OC_YUBIKEY` environment variable.
+
+For example:
+
+```
+OC_YUBIKEY=VPN:organization sudo -E ./run-vpn.sh
+```
diff --git a/run-vpn.sh b/run-vpn.sh
index a357a8f..9e0723c 100755
--- a/run-vpn.sh
+++ b/run-vpn.sh
@@ -44,12 +44,19 @@ while true; do
     SCRIPT_INCLUDE="--script=\"$SCRIPTPATH/routing.sh\""
   fi
 
-  TOTP=$(oathtool --totp=sha1 -b "$SEED")
+  # If yubikey is not used, use the TOTP seed
+  if [[ -z "$OC_YUBIKEY" ]]; then
+    TOTP=$(oathtool --totp=sha1 -b "$SEED")
+    PASSWORD="$PASSWORD\n$TOTP"
+  else
+    YUBIKEY_TOTP="--token-mode=yubioath --token-secret=$OC_YUBIKEY"
+  fi
 
-  echo -e "$PASSWORD\n$TOTP" | sudo openconnect \
+  echo -e "$PASSWORD" | sudo openconnect \
     --csd-wrapper hostscan-bypass.sh \
     --passwd-on-stdin \
     --os=mac-intel \
+    $YUBIKEY_TOTP \
     $SCRIPT_INCLUDE \
     -u $USERNAME \
     $SERVER