Two-factor authentication with KDE

In order to achieve two-factor authentication, I edited system-auth, configured U2F using pam_u2f as the main method and Yubico OTP using pam_yubico as the backup method. However, I encountered several problems:

  • pam_yubico will not work in the login screen (it works in SSH and tty), it will not ask me to authenticate with YubiKey, and it will always return a fail
  • pam_u2f will work, however, if I forgot to insert the U2F device at the time of login, the pam_faillock will directly lock me out for one attempt, this is not expected since I configured pam_faillock to lock an account only after 3 unsuccessful attempts

This is how I configured the /etc/pam.d/system-auth:

auth       requisite                   pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth       [success=ok default=3]      pam_unix.so          try_first_pass nullok
auth       [success=3 default=ignore]  pam_u2f.so           nouserok cue
auth       [success=2 authinfo_unavail=2 ignore=2 default=ignore]  pam_yubico.so id=<id> key=<key> info mode=client nullok
-auth      [success=1 default=ignore]  pam_systemd_home.so
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.