Universial 2nd Factor (U2F)
Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized USB or NFC devices based on similar security technology found in smart cards.
For support of U2F in major web browsers and system authentication install the following packages:
pacman -S libfido2 pam-u2f
Generate U2F key for PAM
NOTE: Generate keys as a regular user!
Keys need to be added with the tool pamu2fcfg:
mkdir ~/.config/Yubico
pamu2fcfg -o pam://$(< /etc/hostname) -i pam://$(< /etc/hostname) > ~/.config/Yubico/u2f_keys
Passwordless sudo
Warning: Before making any changes to your configuration, start a separate shell with root permissions (e.g. sudo -s). This way you can revert any changes if something goes wrong.
Open /etc/pam.d/sudo and add the following as the first line:
auth sufficient pam_u2f.so cue origin=pam://hostname appid=pam://hostname
Be sure to replace the hostname with the same host name as above.
To test, open a new terminal and type sudo ls. Your key's LED should flash and after clicking it the command is executed. The option cue causes an instruction to appear on what to do, e.g. Please touch the device.
Display manager login
GDM
Open /etc/pam.d/gdm-password and add the following after the existing auth lines:
auth required pam_u2f.so nouserok origin=pam://hostname appid=pam://hostname
Please note the use of the nouserok option which allows the rule to fail if the user did not configure a key or the key is not connected.
Unlock LUKS container during boot
To register the key, you will need to use the systemd-cryptenroll utility.
Run the following command to list your detected keys:
systemd-cryptenroll --fido2-device=list
Then you can register the key in a LUKS slot, specifying the path to the FIDO2 device, or using the auto value if there is only one device:
ATTENTION: Make sure to pass the device node of your actual LUKS container!
systemd-cryptenroll --fido2-device=auto /dev/sda1