Fingerprint _or_ password login?

Anyone know how to get the fingerprint module to be an or with a password for unlocking the screen or with sudo/etc? I presume this will be some sort of PAM configuration, but I don’t really know how to configure PAM.

This is on Debian testing, if it ends up mattering.

Plasma 6 supports using either/or for login. Note, if you use kwallet you still need to use password for the first login after boot.

How does that work? You don’t have to wait for the fingerprint scan timeout?

I’m on Mint Cinnamon & when I looked into it I saw it said that PAM just doesn’t support either / or. You have to wait for the scan timeout in order to use your password. With some tweaking I got it to do fingerprint for login only & password for sudo and everything else, which was good enough for me.

It’s been a while since I read what the changes actually were, but this is how it works from a users perspective:

  1. Open laptop/ be at lock screen
  2. Either enter password or use finger print sensor, no other interaction or input selection needed
    2a) If you use the fingerprint scanner, you will have to wait for it to finish scanning. While it is processing, the password is greyed out
  3. You’re logged in

Prior to the 6.0 update it was a pain and didn’t work well.

1 Like

Too bad my distro doesn’t have Plasma 6. I’m hoping in the next 3-6 months. We’ll see how fast Debian Unstable gets it, and then have it filter down to Testing.

Yes, in 5.x KDE it’s use fingerprint sensor, if it doesn’t work/times out, then you can use password. It’s not either/or. At least how things are currently setup for me. I want it to be either/or like you say in your #2. Enter password OR use fingerprint sensor.

I personally prefer passwords over bio-metrics. I don’t like the possibility of my bio-metric information leaking out anywhere.

1 Like

So remember the fingerprint readers are creating fuzzy hashes of a scan of parts of your finger, not storing the raw data of your finger. And it’s generally stored on the reader device, not in the OS or other part that’s ‘normally’ accessible.

In general, I agree with you though.

1 Like

from what i understand, a screen locker may implement fingerprint unlock separate of PAM or opt to start multiple PAM stacks itself. there are also some PAM modules that allow starting their own PAM stacks, and one that is specifically for parallel fingerprint/password authentication.

PAM itself doesnt support checking authentication methods in parallel (although this has been a requested feature for a while)

What I’m talking about would be in agreement. The Plasma 6 feature works with the lockscreen but not the logind (or non-systemd equivalent) session.

1 Like

I use XFCE with Light DM and once setup will always ask for fingerprint first, but the timeout is relatively quick, and then it’ll ask for your password. Same for when using sudo in the terminal.

Slick-greeter and LightDM-GTK work the same, no idea about LightDM-Webkit

1 Like

with swaylock the timeout is thirty seconds. i think its the same for kde polkit (im running it under sway if that makes a difference for whatever reason, i also havent extensively tested the timeout). with sudo you can just hit CTRL+C to go straight to password auth.

i think you can turn down the timeout in your pam config, but i havent been bothered to do so (when fingerprint authentication doesnt work because it has been tried too many times and it stops to protect the sensor or whatever it goes straight to password)

Can’t you configure this in Debian with

sudo pam-auth-update?

or:

sudo  pam-auth-update --enable fprintd
1 Like

It’s not enable/disable issue, it’s “don’t want to wait for fingerprint to timeout and use password instead”, when I’m using a separate (UHKv2 split mechanical keyboard on top of the FW16 keyboard). I want it to be either/or, not try fingerprint first and then be able to use password.

Can’t speak to Plasma, but on Gnome 46 a sudo command in the terminal prompts me for a fingerprint, but I can press ctrl+c and it switches to asking for password to proceed.

At the login screen simultaneously the password field is available or I can tap the fingerprint sensor.

The only time I have to fail the fingerprint before the password field is available is when doing something in the gui that requires additional permissions like mounting a luks encrypted drive in the files gui or changing printer settings in the settings gui.

1 Like

where this works in my setup and where this doesnt:

sudo command lets you CTRL+C

kde polkit does not (gotta wait it out)

swaylock does not (also gotta wait it out)

SDDM (or whatever the kde login manager was) only allows password auth (im probably being silly though and theres some way to trigger it)