Two-factor authentication with KDE

In order to achieve two-factor authentication, I edited system-auth, configured U2F using pam_u2f as the main method and Yubico OTP using pam_yubico as the backup method. However, I encountered several problems:

  • pam_yubico will not work in the login screen (it works in SSH and tty), it will not ask me to authenticate with YubiKey, and it will always return a fail
  • pam_u2f will work, however, if I forgot to insert the U2F device at the time of login, the pam_faillock will directly lock me out for one attempt, this is not expected since I configured pam_faillock to lock an account only after 3 unsuccessful attempts

This is how I configured the /etc/pam.d/system-auth:

auth       requisite               preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth       [success=ok default=3]          try_first_pass nullok
auth       [success=3 default=ignore]           nouserok cue
auth       [success=2 authinfo_unavail=2 ignore=2 default=ignore] id=<id> key=<key> info mode=client nullok
-auth      [success=1 default=ignore]
auth       [default=die]           authfail
auth       optional          
auth       required          
auth       required                authsucc
# If you drop the above call to the lock will be done also
# on non-consecutive authentication failures.