+ };
+
+ if (!defined($data)) {
+ return $auth_failure->();
+ }
+
+ my ($username, $tfa_info);
+ if ($data =~ m{^u2f!([^!]+)!([0-9a-zA-Z/.=_\-+]+)$}) {
+ # Ticket for u2f-users:
+ ($username, my $challenge) = ($1, $2);
+ if ($challenge eq 'verified') {
+ # u2f challenge was completed
+ $challenge = undef;
+ } elsif (!wantarray) {
+ # The caller is not aware there could be an ongoing challenge,
+ # so we treat this ticket as invalid:
+ return $auth_failure->();
+ }
+ $tfa_info = {
+ type => 'u2f',
+ challenge => $challenge,
+ };
+ } elsif ($data =~ /^tfa!(.*)$/) {
+ # TOTP and Yubico don't require a challenge so this is the generic
+ # 'missing 2nd factor ticket'
+ $username = $1;
+ $tfa_info = { type => 'tfa' };
+ } else {
+ # Regular ticket (full access)
+ $username = $data;