source: https://jean.ribes.ovh/posts/pam-authentication-with-howdy-fingerprint-and-password/
# PAM authentication with Howdy, fingerprint and password

On Windows 10 laptops, you might know *Windows Hello*, which allows you to login using Face Identification.
There is an equivalent software for Linux, called [Howdy](github.com/boltgolt/howdy).

[GitHub - boltgolt/howdy: 🛡️ Windows Hello™ style facial authentication for Linux](https://github.com/boltgolt/howdy)

But it's not that secure, so i want to combine it with something else, like a fingerprint reader, but without entering a password.

Here's what I want

- Face ID **AND** Touch ID
- Password as a fallback

The reverse (password then other login methods) is very simple, but i don't want to enter an empty password just to use the fancy tech :)
The hard part is to refuse Fingerprint login if Howdy failed to recognize your face.

⚠️

A misconfiguration in PAM can lock you out of your computer !
Be sure to open a root terminal just in case, and always test all authentification scenarios before logging out

Here's what I came up with:

```shell {.kg-width-wide}
auth	[success=ok default=1]           pam_python.so /lib/security/howdy/pam.py
auth	[success=3  default=ignore]	pam_fprintd.so max_tries=1 timeout=10 # debug
auth	sufficient pam_unix.so try_first_pass likeauth nullok
auth	[success=1  default=ignore]	pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth	optional			pam_cap.so 
# end of pam-auth-update config
```

So, if Howdy fails, PAM will skip (`default=1`) the next module (fingerprint)


© 2026 Jean Ribes