I’ve just implemented this for my own setup. Having three factors (i.e., pw, yubikey, and fingerprint) seems much better to me than having two or just a single factor. Surprisingly, I couldn’t find a write up, but only your question. So below is a quick and dirty write up. Be careful with testing in order to not lock yourself out.
- Install fprintd and polkit in sys-usb (without polkit I was getting some weird authentication errors).
- Enroll fingerprint in sys-usb using fprint-enroll.
- add /usr/local/bin/fprint-auth file in dom0:
#!/bin/sh
exit `qvm-run -q --no-gui -u root sys-usb fprintd-verify`
- add this in the beginning of /etc/pam.d/login:
auth required pam_exec.so expose_authtok /usr/local/bin/fprint-auth