Turns out that pam_u2f is really obscenely easy to implement token-backed login with.

Even when you want to skip the need to hit the button (shut up), but still require the cryptographic proof to succeed. Very, very cool.

My Pi now automatically logs me in, as long as the U2F key is plugged in and signing, and falls back to passwords otherwise.

One command, one line of file editing. Bosh. Done.

Well done Yubico.