I know, i know. Fake security etc etc.
However, my t700 has it and I’d like to play with it.
What would be likely scenarios?
A “low security” scenario when you can unlock the screensaver with it. While you are in relatively secure location that might be sufficient.
A “higher security” when you need fingerprint to get to the password prompt. Why not, after all? Yes, you still can be locked out. But maybe “have fingerprint – can access the current session, no fingerprint – need to restart it losing ephemeral data even if you have the password” could be somewhat useful.
Making a companion service that passes the fingerprint status to dom0 somehow might be trivial.
If your fingerprint reader works with fprintd, this is actually possible right now in Qubes OS 4.3.
This comment helped me get it set up:
Essentially, you have to have a Qube (could be sys-usb, but it’s more secure to use a dedicated Qube) with your reader connected, enroll a fingerprint in fprintd, and use a script to check your fingerprint within that Qube, either required in PAM for fingerprint 2FA or sufficient to have optional fingerprint login.
Though if you go the 2FA route, be aware that if your fingerprint Qube ever stops working, you’ll be locked out. I’ve had a couple times where I had to login as root in a TTY to manually restart my fingerprint Qube.