From ArchWiki

Login configuration

Reverted from Fprint#Login configuration:

!!! WARNING: the above configuration is likely horribly broken (when both authentication methods fail, it allows to login - can be easily tested, by using empty/wrong password), but I do not use fingerprint so I am unable to test it. Most likely this line is also needed:

auth        requisite

The reason: "sufficient" means "try it, but if it fails, move on to next rule and do not fail authentication" so if all sufficient methods fail, it simply decides that everything is fine... The deny rule at the end of all sufficient auth rules, ensures that when they all fail, the authentication process will fail as well.

—This unsigned comment is by Sado1 (talk) 2023-07-12T14:12:52. Please sign your posts with ~~~~!