How to enable both Passphrase *and* Password+Yubikey as authentication method for a given user account?

Question

Context

I am lazy. But I am also (a bit) concerned with security.

So on my machine (running Fedora), I want to be able to both:

• log into my session using a strong passphrase,
• log into my session using a quick-to-type password when my Yubikey is plugged in.

There are 3 reasons for that:

1. I want to be able to log into my machine with a passphrase only (if I lose my Yubikey, or if I'm comfy in my bed and I don't want to get up grab the Yubikey in my jacket — remember, I'm lazy).
2. Yet if I've my Yubikey plugged in (e.g. at work), I'd like to log in with a quick-to-type password only (remember, I'm lazy) as I frequently lock my session — and so have to log in back.
3. I wouldn't want to use my Yubikey alone (without password), though, as I might forget to unplug the key when I lock the session (lazy… and concerned about security).

Question

How to setup my user account, so I can log in using either of these two different authentication methods?

• passphrase only,
• password + Yubikey

Answer 1

Here is the solution strategy I have come up so far:

1. One can create multiple accounts with same UID (cf. Why can I create Users with the same UID) — i.e. both accounts would be the same users from the OS perspective, but we could have a separate authentication method for each (one with passphrase, another with Yubikey + password). Whether it's a good idea is debated.
2. It is possible to require both a Yubikey and password as authentication strategy. It is defined in the Linux PAM system. (It is also possible to require a password only!)

The points I haven't solved so far:

• How to assign a spefic PAM-rule per account (cf. point 1 above)?
• How to implement the Yubikey + passphrase authentication strategy in GDM (GNOME Display Manager — i.e. the GUI to authenticate in Fedora)?

(I'll update this post once I've made progress on these issues.)