Improved Authentication Experience

Registered by Jason Warner on 2011-10-18

It would be nice to improve the authentication mechanisms in Ubuntu to be more user friendly and make it easier to enable modern authentication schemes. This will probably involve:
- Reviewing the messages/prompts in PAM for appropriateness
- Adding hints to PAM to allow GUIs to better display the prompts (i.e.
if a prompt is for a password, key number, if prompting for a password
change).
- Improving the Unity Greeter prompts to interpret the hints
- Improving PolicyKit to interpret the hints
- Making it easier to enable non-password authentication (e.g. LDAP, two
factor).

Blueprint information

Status:
Not started
Approver:
Sebastien Bacher
Priority:
Low
Drafter:
Robert Ancell
Direction:
Approved
Assignee:
Robert Ancell
Definition:
Approved
Series goal:
Accepted for quantal
Implementation:
Deferred
Milestone target:
milestone icon ubuntu-12.10-beta-1

Related branches

Sprints

Whiteboard

seb128, 2012-08-08: stop tracking the implementation work items for quantal, it's getting late and not likely to happen this cycle, keeping the design ones though, if we get a design ready we might start early on that next cycle

It would be interesting to support biometric authentication here as well. Fingerprint readers are common on laptops. A prompt to indicate fingerprints are accepted would be interesting.
Any new authentication scheme would need to be recognized in at least unity-greeter, policyKit-gnome, and gnome-control-center.
Centralised Authentication
    - 2-factor
    - smart cards
    - LDAP
    - Active Directory
    -
 - Setup and configuration of same.
Consumer Desktop
  - mainstream laptops leave factory with fingerprint readers and manufacturers would like it to "do something". Auth stack exists, but the GUI for configuring it etc. is needed.
Robert Ancell doesn't have bandwidth in quantal cycle to work on any of this. A lot of the backend work has been done for multi-factor auth.
https://wiki.ubuntu.com/BluePrints/FingerprintAuth
Goal for 12.10 is to support fingerprint scanners to *select* the appropriate user in Unity Greeter (followed by normal authentication, e.g. password). Fingerprint will not be supported for PolicyKit. There will be a GUI solution to configure fingerprints for users.

ritz: Allow unity-greeter to smartly select the user, for smartcard auth. This would allow user to key in ( pin and ) password.

(?)

Work Items

Work items:
[jamesf] Select a fingerprint library, test and promote to main: POSTPONED
[jamesf] Pick particular hardware device(s) to support: POSTPONED
[robert-ancell] lightdm support parallel authentication (not committed for 12.10, but can support someone else to do this): POSTPONED
[robert-ancell] Have unity-greeter support parallel authentication (not committed for 12.10, but can support someone else to do this): POSTPONED
[jamesf] implement fingerprint configuration GUI: POSTPONED

Work items for ubuntu-12.10:
[mpt] design suitable fingerprint configuration GUI <https://wiki.ubuntu.com/UserAccounts#security>: DONE
[mpt] design suitable 2 factor auth/smartcard setup/LDAP/Active Directory integration GUI (sounds like no resources to implement) <https://wiki.ubuntu.com/UserAccounts#smartcard>: DONE