511297 – Inserting a FIDO2/U2F key is not immediately recognized by lock screen.

Bug 511297 - Inserting a FIDO2/U2F key is not immediately recognized by lock screen.

Summary: Inserting a FIDO2/U2F key is not immediately recognized by lock screen.

Status:	REOPENED

Alias:	None

Product:	plasmashell
Classification:	Plasma
Component:	Screen locking (other bugs)
Version First Reported In:	6.3.6
Platform:	Other Linux

Importance:	NOR normal
Target Milestone:	1.0
Assignee:	Plasma Bugs List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-10-29 01:27 UTC by John Andrew McInnes
Modified:	2025-11-18 11:03 UTC (History)
CC List:	2 users (show)

See Also:
Latest Commit:
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description John Andrew McInnes 2025-10-29 01:27:36 UTC

SUMMARY
Inserting a FIDO2/U2F key is not immediately recognized by lock screen. Basically you have to enter a bad password first to get the lock screen to see that you want to enter a U2F PIN.

STEPS TO REPRODUCE
1. Login and lock screen. 
2. Wake screen w/ keyboard or mouse.
3. Insert security key w/ PIN entry requirement.

OBSERVED RESULT
Standard password prompt shows. Type the security key PIN and press enter. Does not result in successful login. Prompt shakes like bad password entered. Then, reenter the PIN and press enter again. It works and you get the "Please touch the device" prompt. Touch the device and then you will login.

EXPECTED RESULT
It would be nice if the lock screen immediately detected the security key and interpreted what you type as a PIN, instead of having to fail the password one time.

SOFTWARE/OS VERSIONS
Linux 6.12
Plasma 6.3.6
libpam-u2f 1.4.0-1 amd64

ADDITIONAL INFORMATION

Comment 1 Bug Janitor Service 2025-10-29 01:33:41 UTC

Thank you for the bug report!

However Plasma 6.3.6 no longer receives updates or maintenance from KDE; active versions are 6.4 or newer. Please upgrade to an active version as soon as your distribution makes it available to you. Plasma is a fast-moving project, and bugs in one version are often fixed in the next one.

If you need help with Plasma 6.3.6, please contact your distribution, who bears the responsibility of providing help for older releases that are no longer receiving updates from KDE.

If you can reproduce the issue after upgrading to an active version, feel free to re-open this bug report.

Comment 2 John Andrew McInnes 2025-10-31 07:39:18 UTC

I upgraded to Plasma 6.5.1 and the bug is still present.

Comment 3 John Andrew McInnes 2025-11-01 21:23:08 UTC

Just as a point of reference - this does work as expected with the sddm display manager. You can type a PIN, insert your security key, and then press enter on the keyboard. It will light up your security key and sign you in when you touch the key.

Comment 4 dinghy 2025-11-18 11:03:46 UTC

I can confirm this issue from John Andrew McInnes! 

When locking screen while a token like Nitrokey is still plugged in, it will unlock the screen on the first try when entering the correct pin. If the token like Nitrokey gets plugged out and plugged in again when the screen is locked, then on the first try the promt shakes like bad password entered. On the 2nd try, it unlocks. 

I did a journalctl -aef and can share the logs here: 
ov 18 11:53:03 myusername kernel: usb 1-4: USB disconnect, device number 20
Nov 18 11:53:04 myusername systemd[1]: Stopped target Smart Card.
Nov 18 11:53:04 myusername systemd[1137]: Stopped target Smart Card.
Nov 18 11:53:04 myusername kded6[1537]: Failed to notify "Created too many similar notifications in quick succession"
Nov 18 11:53:07 myusername kscreenlocker_greet[29379]: pam_warn(kde-fingerprint:auth): function=[pam_sm_authenticate] flags=0 service=[kde-fingerprint] terminal=[<unknown>] user=[myusername] ruser=[<unknown>] rhost=[<unknown>]
Nov 18 11:53:07 myusername kscreenlocker_greet[29379]: pam_warn(kde-smartcard:auth): function=[pam_sm_authenticate] flags=0 service=[kde-smartcard] terminal=[<unknown>] user=[myusername] ruser=[<unknown>] rhost=[<unknown>]
Nov 18 11:53:07 myusername kernel: usb 1-4: new full-speed USB device number 21 using xhci_hcd
Nov 18 11:53:08 myusername kernel: usb 1-4: New USB device found, idVendor=20a0, idProduct=42b2, bcdDevice= 1.08
Nov 18 11:53:08 myusername kernel: usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=0
Nov 18 11:53:08 myusername kernel: usb 1-4: Product: Nitrokey 3
Nov 18 11:53:08 myusername kernel: usb 1-4: Manufacturer: Nitrokey
Nov 18 11:53:08 myusername kernel: hid-generic 0003:20A0:42B2.000A: hiddev96,hidraw0: USB HID v1.11 Device [Nitrokey Nitrokey 3] on usb-0000:00:14.0-4/input1
Nov 18 11:53:08 myusername mtp-probe[29452]: checking bus 1, device 21: "/sys/devices/pci0000:00/0000:00:14.0/usb1/1-4"
Nov 18 11:53:08 myusername mtp-probe[29452]: bus: 1, device: 21 was not an MTP device
Nov 18 11:53:08 myusername systemd[1]: Reached target Smart Card.
Nov 18 11:53:08 myusername systemd[1137]: Reached target Smart Card.
Nov 18 11:53:08 myusername mtp-probe[29457]: checking bus 1, device 21: "/sys/devices/pci0000:00/0000:00:14.0/usb1/1-4"
Nov 18 11:53:08 myusername mtp-probe[29457]: bus: 1, device: 21 was not an MTP device
Nov 18 11:53:08 myusername kded6[1537]: Failed to notify "Created too many similar notifications in quick succession"
Nov 18 11:53:10 myusername unix_chkpwd[29467]: password check failed for user (myusername)
Nov 18 11:53:10 myusername kscreenlocker_greet[29379]: pam_unix(kde:auth): authentication failure; logname=myusername uid=1000 euid=1000 tty= ruser= rhost=  user=myusername
Nov 18 11:53:10 myusername kscreenlocker_greet[29379]: pam_kwallet5(kde:auth): pam_kwallet5: pam_sm_authenticate
Nov 18 11:53:10 myusername unix_chkpwd[29469]: password check failed for user (myusername)
Nov 18 11:53:16 myusername kscreenlocker_greet[29379]: pam_warn(kde-fingerprint:auth): function=[pam_sm_authenticate] flags=0 service=[kde-fingerprint] terminal=[<unknown>] user=[myusername] ruser=[<unknown>] rhost=[<unknown>]
Nov 18 11:53:16 myusername kscreenlocker_greet[29379]: pam_warn(kde-smartcard:auth): function=[pam_sm_authenticate] flags=0 service=[kde-smartcard] terminal=[<unknown>] user=[myusername] ruser=[<unknown>] rhost=[<unknown>]
Nov 18 11:53:19 myusername kwin_wayland_wrapper[29379]: warning: queue "mesa egl surface queue" 0x7fe55c6ec470 destroyed while proxies still attached:
Nov 18 11:53:19 myusername kwin_wayland_wrapper[29379]:   wp_presentation#40 still attached
Nov 18 11:53:19 myusername kscreenlocker_greet[29379]: Could not create EGL surface (EGL error 0x3000)
Nov 18 11:53:19 myusername kwin_wayland_wrapper[29379]: warning: queue "mesa egl surface queue" 0x7fe540a92e90 destroyed while proxies still attached:
Nov 18 11:53:19 myusername kwin_wayland_wrapper[29379]:   wp_presentation#40 still attached
Nov 18 11:53:19 myusername kscreenlocker_greet[29379]: Could not create EGL surface (EGL error 0x3000)
Nov 18 11:53:19 myusername kscreenlocker_greet[29379]: Failed to write to the pipe: Bad file descriptor.
Nov 18 11:53:20 myusername wpa_supplicant[1008]: wlp58s0: Reject scan trigger since one is already pending

Infos:
Operating system: NixOS 25.11
KDE Plasma version: 6.5.2
KDE Frameworks version: 6.20.0
Qt version: 6.10.0
Kernel version: 6.12.58 (64-bit)
Graphics platform: Wayland
Processors: 4 × Intel® Core™ i5-7300U CPU @ 2.60GHz
Memory: 16 GiB of RAM (15.5 GiB usable)
Graphics processor: Intel® HD Graphics 620
Manufacturer: LENOVO
Product name: 20HGS0SR00
System version: ThinkPad T470s