478076 – Feature request : Add PAM module and mobile check to provide biometric login to Linux PCs that don't have hardware for it

Bug 478076 - Feature request : Add PAM module and mobile check to provide biometric login to Linux PCs that don't have hardware for it

Summary: Feature request : Add PAM module and mobile check to provide biometric login ...

Status:	RESOLVED DUPLICATE of bug 398931

Alias:	None

Product:	kdeconnect
Classification:	Applications
Component:	common (other bugs)
Version First Reported In:	unspecified
Platform:	unspecified Linux

Importance:	NOR wishlist
Target Milestone:	---
Assignee:	Albert Vaca Cintora

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-12-04 20:19 UTC by wouffythedog@gmail.com
Modified:	2024-08-06 14:23 UTC (History)
CC List:	3 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description wouffythedog@gmail.com 2023-12-04 20:19:18 UTC

SUMMARY
A lot of people love biometric auth, because of its speed, security and ease of use. 
But hardware is not always there by default on PC and laptops (especially older ones), and is rather expensive. For those who use multiple PCs and use/switch very often, the use of a dedicated fingerprint reader is not very practical, and fingerprint hardware keys are also expensive.
Today, the great majority of phone users have biometric auth (either touch or face recognition).
Why not use it?

PROS & CONS
This could help for a lot of things:
- Speed for login especially for those that have long passwords 
- Speed for auth, for those who have tight security settings (i personally use sudo a lot, and have to retype my password very often as i switch terminals a lot resetting the sudo timer)
- A great improvement for ease of use, so that when a password is prompted:
        1- the phone rings a notification
        2- the user unlock his phone
        3- the app goes in the foreground (can be inspired from Google's 2FA)
        4- triggers biometric auth
        5- and allow login if biometrics succeeded.
But not only phones can be supported : other PCs can be used to allow login, etc...

But this have some great drawbacks:
- You have to assume your allowed peripherals are secure enough to provide auth login. This is a potential security weakness !
- You have to be aware of the fact that it allows external peripherals on the network to allow authentication on your very own PC, allowing then physical attackers to unlock your PC and leak your very own data (and others too via ssh keys, admin passwords, etc...). This is a potential security vulnerability !

COMPONENTS
This feature request consists of 2 components :
- The first is a PAM module. This talks to peripherals that support biometric login to ask for and receive authorization to proceed the user auth on the PC side.
- The second is a peripheral-side feature in the app, that talks to the PAM modules (not directly i hope) and calls the appropriate biometric auth method for the platform.

Please tell if you have observations about this feature, improvements, or you can just tell why this is great and which parts can help you in your everyday.

I want to make clear that the security issues will be explained well enough to the user when the setting is activated, so the user is aware of the security issues that this creates.

Comment 1 cwo 2024-08-06 14:23:27 UTC

Thank you for this feature request! Another request covers a similar issue (fingerprints more specifically, but other requests for biometric support through KDE Connect have already been marked as duplicates); to make the list of requests easier to follow I'm marking this as a duplicate of that report.

*** This bug has been marked as a duplicate of bug 398931 ***