feat: Add FIDO2/U2F security key support for lock screen (#1842)

* feat: Add FIDO2/U2F security key support for lock screen

Adds hardware security key authentication (e.g. YubiKey) with two modes:
Alternative (OR) and Second Factor (AND). Includes settings UI, PAM
integration, availability detection, and proper state cleanup.

Also fixes persist:false properties being reset on settings file reload.

* feat: Add U2F pending timeout and Escape to cancel

Cancel U2F second factor after 30s or on Escape key press,
returning to password/fingerprint input.

* fix: U2F detection honors custom PAM override for non-default key paths

quickshell/translations/settings_search_index.json

@@ -3771,6 +3771,48 @@
     ],
     "description": "Use fingerprint reader for lock screen authentication (requires enrolled fingerprints)"
   },
+  {
+    "section": "enableU2f",
+    "label": "Enable security key authentication",
+    "tabIndex": 11,
+    "category": "Lock Screen",
+    "keywords": [
+      "authentication",
+      "enable",
+      "fido",
+      "hardware",
+      "key",
+      "lock",
+      "lockscreen",
+      "login",
+      "password",
+      "screen",
+      "security",
+      "u2f",
+      "yubikey"
+    ],
+    "description": "Use a FIDO2/U2F security key (e.g. YubiKey) for lock screen authentication (requires enrolled keys)"
+  },
+  {
+    "section": "u2fMode",
+    "label": "Security key mode",
+    "tabIndex": 11,
+    "category": "Lock Screen",
+    "keywords": [
+      "alternative",
+      "authentication",
+      "factor",
+      "key",
+      "lock",
+      "lockscreen",
+      "mode",
+      "second",
+      "security",
+      "u2f",
+      "yubikey"
+    ],
+    "description": "Alternative lets the key unlock on its own. Second factor requires password or fingerprint first, then the key."
+  },
   {
     "section": "loginctlLockIntegration",
     "label": "Enable loginctl lock integration",