It just occurred to me the issue with using smartcards/yubikeys/multifactor for logging into a qubes system.
If login happens on dom0, and dom0 has no access to usb since usb is in sys-usb, and I don’t believe that the sys-usb qube has been started till after login, I don’t see how we’d be able to use smartcards, or biometrics or similar since I believe they all use USB.
It would be possible to put usb back in dom0 (which has obvious security problems)
It might be possible to start sys-usb before login (possibly by creating a new “start qube automatically on boot and before login” option for qubes similar to the current “start qube automatically on boot” option )
However, even if we did that, forwarding the usb device to dom0 seems like a bad idea.
How would we get the authentication information back to dom0 in a safe way?