[nybble41]

PAM is pretty flexible. Can't you just edit the configuration to only include the pam_u2f.so module for a certain user, or for users in a certain group? Or add the nouserok option[1] to allow authentication to proceed in the absence of registered U2F device?

The former approach would look something like this; the "default=1" part skips the next directive (pam_u2f.so) when the test fails (i.e. when the user is not in the mandatory_u2f group):

  auth [success=ignore default=1] pam_succeed_if.so user ingroup mandatory_u2f
  auth required pam_u2f.so cue

[1] https://developers.yubico.com/pam-u2f/ "nouserok … Set to enable authentication attempts to succeed even if the user trying to authenticate is not found inside authfile or if authfile is missing/malformed."