Looks like the user has to pay for a "service". How is the YubiKey communicating to the back end systems?
When you use a YubiKey to secure your Casa vault, a seed phrase is generated on your laptop or computer and then stored securely on the YubiKey protected by the passkey you just created. That seed phrase is then only accessible when you successfully authenticate with the Casa domain using the YubiKey itself. This means you can’t be tricked into signing a transaction through a fake Casa website — the passkey will refuse to decrypt the seed phrase.