"Double" lock screen: first screen requires password, second screen requires buton clock

I have upgraded from Plasma/KDE 5 on X11 to Plase/KDE 6 running on a KWin Wayland session. One regression issue I encounter is that there is now a kind of “double” lock screen:

When I am logged into a KDE session, go away from keyboard and the lock screen appears, then the first one looks like the traditional KDE 5 (Breeze themed) lock screen. In the middle of the screen there is my user name and below an input field into which I can type the password. However, after that some kind of second lock screen appears which nearly looks like the first one but has a button with the caption “Unlock” instead of the password input field. After I have clicked onto the button, I am back into the KDE session.

That second step is completely unnecessary. I have already pressed the “arrow” button right of the password input field (or hit the enter key), why that second screen with an additional button?

I can I disable that?

I believe the issue with this “double lock screen” is somehow related to the new PAM configuration files /etc/pam.d/kde-fingerprint and /etc/pam.d/kde-smartcard next to the old /etc/pam.d/kde. The latter has already existed in KDE 5, the other two seem to have been added with KDE 6.

However, I was not able to figure out, how kde-fingerprint and kde-smartcard are supposed to interact with kde.

In Gentoo, the PAM config files include each other like this

sshd        -->     system-remote-login  --+
                                           |
kde         --+                            |
login       --+-->  system-local-login   --+-->  system-login  -------+
rununser-l  --+                            |                          |
                                           |                          |
sddm        -------------------------------+                          |
                                                                      |
                    su-l  -------------------->  su     --------------+-->  system-auth
                                                                      |
                                                 chfn   --------------+
                                                 ...                  |
                                                 <everything else>  --+
                                                 ...                  |
                                                 vlock              --+

Hence, some time back I edited system-auth to add U2F support for everything. The authentication section in /etc/pam.d/system-auth looks like:

# The advanced control below works as follws:
#
#  - If U2F succeeds, then the next 2 lines are skipped.
#    This means it is sufficient enough to skip password login (and faillock),
#    but the remaining modules are still executed.
#  - If U2F fails, the error is ignored and password-login gets it chance.
#  - If UNIX succeeds, then the next line is skipped.
#    This means faillock is by-passed, but the reamining modules are still
#    executed.
#    (This is default behaviour by Gentoo.)
#  - If UNIX fails, then this is considered ultimately bad.
#
#

auth        required                                                    pam_env.so
auth        requisite                                                   pam_faillock.so   preauth
auth        [success=2 new_authtok_reqd=2 default=ignore]               pam_u2f.so        cue
auth        [success=1 new_authtok_reqd=1 ignore=ignore default=bad]    pam_unix.so       nullok try_first_pass
auth        [default=die]                                               pam_faillock.so   authfail
auth        optional                                                    pam_cap.so

I can also observe that behavior with the fingerprint unlocking. However there are two ‘modes’.

1. there is a message above the password input field: 'Place your finger on the fingerprint reader
2. there is a message below the password input field: ‘(or scan your fingerprint on the reader)’

In case 1 if the fingerprint is recognized I am seeing an unlock button before the session is unlocked
In case 2 the session is immediately unlocked upon successful fingerprint recognition.

Which case occurs appears random.

I also appears, that in case 1 the message of case 2 is displayed at first, but for a very short time.

The pam files (I have not changed these from system default):

/etc/pam.d
# ❯ cat kde
#%PAM-1.0
auth       include                     system-local-login
account    include                     system-local-login
password   include                     system-local-login
session    include                     system-local-login

/etc/pam.d
# ❯ cat kde-fingerprint 
#%PAM-1.0

auth       required                    pam_shells.so
auth       requisite                   pam_nologin.so
auth       requisite                   pam_faillock.so      preauth
-auth      required                    pam_fprintd.so
auth       optional                    pam_permit.so
auth       required                    pam_env.so

account    include                     system-local-login

password   required                    pam_deny.so

session    include                     system-local-login

/etc/pam.d
# ❯ cat system-local-login
#%PAM-1.0

auth      sufficient pam_fprintd.so
auth      include   system-login
account   include   system-login
password  include   system-login
session   include   system-login

System Information:

Operating System: EndeavourOS
KDE Plasma Version: 6.2.2
KDE Frameworks Version: 6.7.0
Qt Version: 6.8.0
Kernel Version: 6.11.6-2-cachyos (64-bit)
Graphics Platform: Wayland
Processors: 8 × 11th Gen Intel® Core™ i5-1135G7 @ 2.40GHz
Memory: 15,3 GiB of RAM
Graphics Processor: Mesa Intel® Xe Graphics
Manufacturer: LENOVO
Product Name: 20XYS10502
System Version: ThinkPad X1 Yoga Gen 6

Case 1:

IMG_32202016×1512 1.52 MB

IMG_32242016×1512 1.65 MB

Case 2:

IMG_32264032×3024 3.49 MB

Taking screenshots is a bit difficult on the Lock Screen. (-: