The yubikey can perform a hmac using a secret (supposedly) only available to the key's internals. This is used in addition to the password, so that knowledge of the password without the key, or the key without knowledge of the password, can't be used to decrypt the database. It's kind of a half second factor (I know it's not technically correct to call it that, but I hope you get the idea).