KDE lock screen with FIDO2 authentication

Message

nagmat84 · Post by **nagmat84** » Sat May 18, 2024 11:23 am

My desktop PC is running Plasma/KDE 5. I recently added FIDO2 authentication following the two guides:

I enabled FIDO2 authentication for PAM in system-auth as described in Gentoo Forum: Networking & Security -> Which PAM file should invoke pam_u2f for FIDO2 auth?:

Code: Select all

auth        required                                                    pam_env.so
auth        requisite                                                   pam_faillock.so   preauth
auth        [success=2 new_authtok_reqd=2 default=ignore]               pam_u2f.so        cue                                   <--- newly added line
auth        [success=1 new_authtok_reqd=1 ignore=ignore default=bad]    pam_unix.so       nullok try_first_pass
auth        [default=die]                                               pam_faillock.so   authfail
auth        optional                                                    pam_cap.so

The KDE lock screen use the "Breeze" theme. While FIDO2 authentication works on a principal level, the user experience needs improvement.

If the security stick is already plugged in, when the KDE lock screen starts, then the KDE lock screen shows the cue and the LED of the security stick flashes. Touching the security key unlocks KDE as expected.

However, if the security stick is not plugged in or when the security stick is removed, then the KDE lock screen falls back to password-based login. That's fine because the security stick is not available and I assume that pam_u2f just returns with a failure. The problem is that the KDE lock screen does not go back to FIDO2 authentication when the security stick is re-inserted. However, this is the typical use case. Users lock the desktop UI, go away and take their security stick with them. Later users come back re-insert the security stick and want to login again.

However, there is a hackish work-around: If a user plugs in the security stick, enters an invalid password (such that authentication fails completely), then the KDE lock screen re-starts the entire authentication process and PAM finds the re-inserted security stick. After that the KDE lock screen shows the cue again and touching the security stick triggers the login.

However, intentionally letting the login process fail with an invalid password, is a bad user experience. Also this workaround is only actionable as long as the option for password-based login as a fallback is still enabled. At some time in the future, I intend to remove pam_unix from PAM and make pam_u2f required.

Is that expected behavior? Or did I miss some configuration?

I expected the following behavior: While the security stick is plugged in, the lock screen shows the cue. If the security stick is removed, the lock screen falls back to password-based login. When the security stick is re-inserted, the lock screen immediately goes back to FIDO2 authentication automatically and shows the cue. There shouldn't be the need to let the authentication process fail first.

PS: There is a related question regrading the SDDM screen manager: viewtopic-p-8827078.html#8827078