Make use of build in finger print reader in fido2 sticks by adding userverification=1

[prosac]

Before switching to authselect I used the option userverification=1 in my pam lines that include pam_u2f.so to activate actual finger print based user verification. Without this option, as authselect currently implements it when using with-pam-u2f, my trustkey G320 does not actually verify the finger print, but simply waits to be touched. This is close to misleading, but I do not see that as a problem that authselect can fix. What authselect could do is providing an option with-pam-u2f-userverification and ensure very explicit documentation.

While I have a trustkey G320 I guess that this also applies to Kensington VeriMark and other fido2 sticks with build in finger print reader.

References

See man pam_u2f.

[pbrezina]

Hi, would you be willing to submit a pull request?

[pbrezina]

It is not entirely clear to me from the manual page what user verification means and I see there are also other similar options. I am not against including this, but I think it would be better to set these options in a configuration file instead of PAM stack (they are not changing the module behavior in term of the pam stack).

I have opened Yubico/pam-u2f#265

[pbrezina]

I'm closing this in favor of the Yubico ticket.