GNOME Bugzilla – Bug 691300
No feedback on fingerprint authentication failure
Last modified: 2021-07-05 14:23:33 UTC
My laptop has got a Validity VFS301 fingerprint scanner and I tried both gnome-shell 3.6.2 from Fedora 18 repositories and 3.7.3 built with jhbuild. Steps to Reproduce: Lock the screen. Remove the screen shield. The message "or swipe finger" is shown bellow password entry. Swipe a wrong finger. Wait a second and swipe a wrong finger again. Wait a second and swipe a wrong finger a third time. Actual Results No feedback is given at any time. After first and second tries: nothing happens. After third try: "or swipe finger" message 'magically' goes away. Expected Results Feedback should be provided in some form, informing the user that the attempt has failed and offering to try again. Also, inform the user when the number of available tries runs out and password and another method should be used instead. Additional observation If fingerprint authentication has failed three times, after successful password authentication, showing a notification "You may want to reconfigure you fingerprint in Settings [Update Fingerprint]" (excuse my poor wording) may be a helpful addition.
of course, before committing any changes here, we should audit pam_fprint's messages to make sure they're readily displayable and don't include any technobabble.
In fact, the comment in the code cites "words like UPEK" (which I don't see in http://cgit.freedesktop.org/libfprint/fprintd/tree/pam/pam_fprintd.c) but also adds: // we don't want to show auth failed messages to // users who haven't enrolled their fingerprint. So we must also make sure that password users are not affected by this when fprint is enabled. One way to do it is to have GDM pass down PAM codes to gnome-shell, so we can discriminate on PAM_AUTHINFO_UNAVAIL vs PAM_AUTH_ERR, but this would require another API break in 3.8. Another possibility is to send VerificationFailed on anything but PAM_SUCCESS, but send the Problem message only for PAM_AUTH_ERR (or similar non-configuration related messages). Then, gnome-shell upon receiving a failure without a message would show a general error (or a fail whale even), and the user would be prompted to the logs for debugging.
we already emit "service-unavailable" for AUTHINFO_UNAVAIL
Created attachment 233097 [details] [review] Gdm: show error messages from fingerprint If the user did not enroll his fingerprint, pam_fprintd will report authinfo_unavail, which will result in a service-unavailable signal. We can use that as a hint to control the '(or swipe finger)' hint, and instead let error messages through, to give feedback in case authentication fails.
Hard code freeze ping!
Comment on attachment 233097 [details] [review] Gdm: show error messages from fingerprint Patch doesn't apply cleanly any more.
GNOME is going to shut down bugzilla.gnome.org in favor of gitlab.gnome.org. As part of that, we are mass-closing older open tickets in bugzilla.gnome.org which have not seen updates for a longer time (resources are unfortunately quite limited so not every ticket can get handled). If you can still reproduce the situation described in this ticket in a recent and supported software version, then please follow https://wiki.gnome.org/GettingInTouch/BugReportingGuidelines and create a new ticket at https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/ Thank you for your understanding and your help.