In order to further secure access to my workstation, after the switch to Gentoo sources, I now enabled two-factor authentication through my Yubico U2F USB device. Well, at least for local access - remote access through SSH requires both userid/password as well as the correct SSH key, by chaining authentication methods in OpenSSH.
Enabling U2F on (Gentoo) Linux is fairly easy. The various guides online which talk
pam_u2f setup are indeed correct that it is fairly simple. For completeness
sake, I've documented what I know on the Gentoo Wiki, as the pam_u2f article.