[systemd-devel] Disallowing fingerprint authentication if pam_systemd_home.so needs a password
juice
juice at swagman.org
Mon Apr 25 15:03:59 UTC 2022
25. huhtikuuta 2022 16.39.56 GMT+03:00 Benjamin Berg <benjamin at sipsolutions.net> kirjoitti:
>On Mon, 2022-04-25 at 13:28 +0200, Lennart Poettering wrote:
>>
>> Hmm, not sure I follow? I don't know how fingerprint flow of control
>> is. Is this about authentication-by-fingerprint? Or already about
>> user-selection-by-fingerprint?
>
>I was just thinking of authentication-by-fingerprint. Though I don't
>think it makes a big difference here.
>
Using fingerprint for *authentication* is totally broken concept which should never be allowed.
Fingerprints are *userid*, never *password*.
We leave our fingerprints lying around all the time, and given malicious enough adversaries they might as well take our fingers too. (I sure would like to avoid that possibility!!)
Fingerprints can be used on place of username, that is OK and does not present similar risks.
- Juice -
More information about the systemd-devel
mailing list