How can i setup my yubikey with fingerprint or another usb- with fingerprint?
There is a documentation entry about it.
what if your password (fingerprint) gets copied by someone?
how is this possible? the fingerprint is just a third factor for activating the key. you have also the yubikey so this should not be a problem.
I’m just generally not a fan of using fingerprints. Once copied (compromised), you can’t change it 
2 Likes
I’ve just implemented this for my own setup. Having three factors (i.e., pw, yubikey, and fingerprint) seems much better to me than having two or just a single factor. Surprisingly, I couldn’t find a write up, but only your question. So below is a quick and dirty write up. Be careful with testing in order to not lock yourself out.
- Install fprintd and polkit in sys-usb (without polkit I was getting some weird authentication errors).
- Enroll fingerprint in sys-usb using fprint-enroll.
- add /usr/local/bin/fprint-auth file in dom0:
#!/bin/sh
exit `qvm-run -q --no-gui -u root sys-usb fprintd-verify`
- add this in the beginning of /etc/pam.d/login:
auth required pam_exec.so expose_authtok /usr/local/bin/fprint-auth
2 Likes
xscreensaver-auth runs under the uid and gid of the user (not root) in Qubes 4.2. Therefore, the qvm-run command will fail immediately, because it cannot connect to the qubesd socket. /usr/local/bin/fprint-auth needs to be adjusted like that:
#!/bin/sh
exec /usr/bin/sg qubes -c '/usr/bin/qvm-run -q --no-gui -u root sys-usb /usr/bin/fprintd-verify'