Plasma Login Manager + Fingerprint: extra “Unlock” step and KWallet behavior

Hi everyone,

I’m testing the new Plasma Login Manager with fingerprint authentication and I’d like to share my experience and ask for guidance.

What happens:

• After a cold boot, if I log in using fingerprint, the session authenticates correctly.

• However, the login screen still shows an “Unlock” button that I must click to fully enter the session.

• After login, KWallet is not unlocked automatically and asks for the password.

• If I log in with password instead (first login after boot), KWallet unlocks normally and the session flow feels complete.

• After that, using fingerprint for screen lock/unlock works fine.

My understanding so far:

• Fingerprint authenticates the user but does not provide the password to PAM.

• KWallet and some session services still rely on password-based unlock.

• The extra “Unlock” button seems to finalize session initialization.

My questions:

• Is this the expected behavior of the new Plasma Login Manager?

• Is there any recommended configuration to improve this flow?

• Is it better practice to use fingerprint only for screen unlock, not initial login?

• Are there plans to better integrate fingerprint auth with session startup and KWallet?

I’m not sure if this is a limitation, a design decision, or something I can configure better.
Any insight from KDE devs or advanced users would be appreciated.

Thanks!

How did you get login with fingerprint working? I just switched from sddm and was disappointed that I couldn’t sign in with my fingerprint reader. I took a look at the repository and there it says that I can find default in /usr/lib/plasmalogin/defaults.conf but that file or folder doesn’t exists for me.

After some more tests, my fingerprint works on screenlock, sudo, and other requests in KDE but not on first boot login. I guess this is OK for now.

I’ll let here the steps I used to make it work:

1. Install fprintd and libfprint that suports your device.
2. Register the fingerprint with fprintd-enroll
3. Verify if is recognizes your fingerprint with fprintd-verify
4. Edit /etc/pam.d/sudo with:

   #%PAM-1.0
   auth        sufficient  pam_fprintd.so  timeout=8
   auth        include     system-auth
   account     include     system-auth
   session     include     system-auth
   

5. Edit (in my case I had to create the file) /etc/pam.d/polkit-1 with:

   #%PAM-1.0
   auth        sufficient  pam_fprintd.so  timeout=8
   auth        required    pam_unix.so     try_first_pass
   account     required    pam_unix.so
   session     include     system-auth
   

DONE, you can test it without rebooting using sudo ls in a new terminal

Your experience makes sense to me. Factually, KWallet only unlocks successfully using a display manager if

• the wallet name is kdewallet and
• the password of the wallet matches your account password

Source (archlinux.org)

These restrictions have a very specific reason:

Behind the scenes, the password is passed to PAM for validation and during that, a hook is executed which grabs the password and tries to unlock the wallet with it. If you are using fingerprint unlock, there is no password to grab and no way to “know” how to unlock the wallet. So your understandings are correct: Since KWallet relies on unlocking with a password, unless that changes, it won’t be unlockable with a fingerprint.

For subsequent logins using Plasma’s lockscreen, I think locking / unlocking depends on your setup, meaning what you have setup here:

image694×897 88.9 KB

With my setup, the wallet stays open, unless the session ends. Which means, subsequent lock/unlock cycles don’t need to open the wallet because it was never closed. I think, if you enable “when screensaver starts”, your wallet would stay closed when you dismiss the lockscreen with fingerprint.