Bug 453877

Summary: Allow multiple simultaneous auth methods to be used without having to fail at one of them, first via multiple PAM stacks
Product: [Plasma] plasmashell Reporter: cirelli94
Component: Screen lockingAssignee: Plasma Bugs List <plasma-bugs-null>
Status: CONFIRMED ---    
Severity: wishlist CC: 4wy78uwh, bshah, bugs.kde.org, eric.brunet, joost, m.lincetto, max, nate, peter
Priority: NOR Keywords: usability
Version First Reported In: 6.2.4   
Target Milestone: 1.0   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description cirelli94 2022-05-16 09:25:54 UTC 
SUMMARY
Once I've configured Fingerprint Authentication, I can't unlock the screen with the password anymore.

It's useful for multiple reasons:
sometimes it's closed and attached to external peripherals
sometimes someone else need to log in and I could tell them the password

STEPS TO REPRODUCE
1. Open System Settings > User > Configure Fingerprint Authentication
2. Lock the screen
3. Try to unlock with password

OBSERVED RESULT
It asks for the fingerprint, and fail with the password even if correct.

EXPECTED RESULT
It unlock the screen.

SOFTWARE/OS VERSIONS
Operating System: Fedora Linux 36
KDE Plasma Version: 5.24.5
KDE Frameworks Version: 5.93.0
Qt Version: 5.15.3
Kernel Version: 5.17.6-300.fc36.x86_64 (64-bit)
Graphics Platform: Wayland
Comment 1 Nate Graham 2022-05-16 18:29:06 UTC 
Can reproduce. Not sure if this is something we can fix on our side, or if it's a PAM configuration thing.

FWIW you'll be able to use your text password if you try and fail to authenticate with a fingerprint three times.
Comment 2 Éric Brunet 2023-03-31 17:36:50 UTC 
I have the same issue on a fedora 38 beta.
After failing three times the fingerprint, I can indeed type my password to unlock
It works the other way around: I can type my password, hit enter (nothing happens), and then fail three times the fingerprint; the computer unlocks.
The problem might not be on kde side, as it is also present with other programs.
For instance, if I use sudo, I need to fail three times the fingerprint before being offered a keyboard prompt.
Comment 3 Nate Graham 2023-04-03 15:51:31 UTC 
Yeah I'm pretty sure this is a PAM issue unfortunately.
Comment 4 Éric Brunet 2023-04-14 07:00:24 UTC 
I agree it should be PAM's job, but they don't seem to think so. From the manpage for pam_fprintd:

       The PAM stack is by design a serialised authentication, so it is not
       possible for pam_fprintd to allow authentication through passwords and
       fingerprints at the same time.

       It is up to the application using the PAM services to implement
       separate PAM processes and run separate authentication stacks
       separately. This is the way multiple authentication methods are made
       available to users of gdm for example.

So maybe it is up to kscreenlocker to do the work, after all. There must be some code in gdm that could be adapted in kscreenlocker and in sddm.
Comment 5 Nate Graham 2023-04-14 13:57:05 UTC 
Ah ok, so there is something we can do about it, cool.
Comment 6 Max 2024-10-01 18:26:41 UTC 
If we want to aim for more mainstream adoption this issue should be prioritized more, a lot if not most non-gaming laptops come with fingerprint readers these days (and a bunch of gaming-laptops too), and things like this not working will be noticed, and can cause users some headache trying to fix.

Not being able to use password when fingerprinter is configured creates risk of locking people out, as there are plenty of reasons a fingerprint reader might fail to authenticate (scratched or dirty fingers, very dry skin, scratched sensor, driver bug or bad behaving such as refusing to work after repeated failed scans etc.).

Also the lock-screen currently states: "(or scan you fingerprint on the reader)" below the password field, which is misleading (and also appears on computers without fprint installed or even a fingerprint reader, but that is a separate issue).