The return of "Unlock via PIN"

Hi all

I am missing a Windows feature which is to unlock the computer with a simple PIN.

I know there's this solution posted there Zorin 17.2 - Unlock via PIN?
But I dont like it as it deforces security the way it is done.

According to me, unlocking a device with a PIN code instead of password, is not dangerous as long as you specify a maximum number of attempts (1-3), also security can be improved if you have a 6 digit PIN code instead of 4. Additionally, there's almost zero risk if its on a static desktop computer lying in your family house's...

I would like to see such a functionality added to Zorin OS, with proper configuration options.

Thanks.

I just set my password as a PIN...

Hi and welcome.

@Aravisian - ?

I use complicated passwords for things that need security.
But for my Login on my computer at home, at the point when you create your user password, I just select a four digit number, rather than a long complex string.

I remember avoiding 4 digits where possible as a long time ago as a student I borrowed someones calculator to run n! - 4 digits only takes 1023 permutation guesses to obtain it! I use 16 alpha/numeric/special character passwords. Period.

I used Perplexity A.I. search engine and used Ubuntu 24.04 in my search criteria as Zorin is a fork of it:

"how to get 6-digit pin with limited attempts in ubuntu 24.04

To use a 6‑digit PIN with limited login attempts on Ubuntu 24.04, you typically combine two things: a PIN-based authentication method and a PAM “lockout” module that caps failed attempts and temporarily locks the account.

Below is one common approach that stays reasonably safe while behaving similarly to a Windows‑style PIN. These steps assume you are comfortable editing PAM files and can recover from misconfiguration (e.g., via TTY/Recovery mode).
Decide what “6‑digit PIN” means

You have two main options:

Set your actual account password to a 6‑digit numeric value

Easiest technically, but weak because the same PIN is used for login and sudo.

Configure a separate “PIN file” via PAM, keeping your real strong password for sudo

More secure, and closer to how Windows separates PIN from account password.

If security matters, use the second approach.
Using a separate PIN via PAM

The basic idea is:

Create a password file containing a hashed 6‑digit PIN for your user.

Tell PAM (for gdm, sudo, etc. as you like) to accept that PIN in addition to your normal password.

Typical high‑level steps:

Install the PAM helper:

    sudo apt install libpam-pwdfile whois.

Create a PIN file:

Run mkpasswd -5 and enter your 6‑digit PIN when asked, then create a file like /etc/custompinfile containing username:hash and restrict its permissions.

Edit the relevant PAM file (for example /etc/pam.d/gdm-password for graphical login) and add near the top:

auth sufficient pam_pwdfile.so pwdfile=/etc/custompinfile.

Log out and test that the PIN works at the login screen while your regular password still works for sudo.

Because this touches PAM, always back up the original file (e.g., sudo cp /etc/pam.d/gdm-password{,_backup}) and ensure you still have a root shell or TTY in case of mistakes.

​Limiting attempts for the PIN

To limit the number of failed PIN (or password) attempts, use a PAM lockout module such as pam_faillock (or pam_tally2 on older setups). This can apply to all auth, including PIN‑based logins.

​High‑level steps (example with pam_faillock):

Ensure the faillock module is present (on Ubuntu 24.04 it generally is).

Edit /etc/pam.d/common-auth (affects most local logins via PAM) and add lines similar to:

    auth requisite pam_faillock.so preauth silent

    auth [success=4 default=ignore] pam_unix.so nullok

    auth [default=die] pam_faillock.so authfail

    auth sufficient pam_faillock.so authsucc.

Configure limits in /etc/security/faillock.conf (or via module options), e.g.:

deny = 3 (lock after 3 failed attempts)

unlock_time = 300 (lock for 5 minutes)

fail_interval = 900 (count failures within a 15‑minute window).

Test on a non‑critical account first, verify that:

After N wrong PINs, the account is locked.

faillock --user username shows failures, and faillock --user username --reset unlocks it.

This mechanism does not care whether the failures are from a PIN file or a normal password; it simply reacts to failed authentication events.
Safer alternative: 6‑digit code as 2FA

If your goal is “something like a 6‑digit code” but you do not strictly need it as the only secret, a time‑based one‑time password (TOTP) such as Google Authenticator is safer:

You keep a strong account password.

You add a 6‑digit code from an authenticator app (rotates every 30 seconds) as a second factor.

Typical steps:

sudo apt install libpam-google-authenticator on Ubuntu 24.04.

​Run google-authenticator (per user) to generate a QR code and 6‑digit TOTP secrets.

​Add auth required pam_google_authenticator.so to /etc/pam.d/sshd for SSH or appropriate PAM files for local logins.

Configure SSH or display manager to require both password and 6‑digit code.

This gives you the 6‑digit behavior plus strong security, at the cost of needing a phone.

Practical recommendations

For convenience with some risk:

Use a PAM PIN file, plus pam_faillock with a low deny value (e.g., 3) to mitigate brute force.

For best security:

Keep a strong password.

Add TOTP (Google Authenticator, etc.) to get a 6‑digit code on login.

Still use pam_faillock for password attempts.

Always:

Test on a spare account first.

Keep a root-capable recovery path (TTY/recovery mode) in case PAM configuration blocks you.

If you say exactly what context you want the 6‑digit PIN for (graphical login, sudo, SSH, or all of them), a tailored set of concrete config lines can be provided."

No one is going to enter my home and try to hack into my computer.
A four digit PIN is all I need in my home.
Anything beyond that is either paranoia - or I am misbehavin'

Or as I regularly get called, #Mr. Pedantic# (to the rapper hit song of #Mr. Bombastic#!)

Just to make it clear : I dont want to set my user/root password as a PIN, and I will never do that.

I want to keep my (strong) password as it is.
And I am OK to enter my strong password when I login, in the prompt when I am modifying system files or installing software, or in sudo commands.
However it is plain boring to enter it to unlock the computer, which I have to do 40 times a day, on multiple computers.

What I am asking is an additional option only to unlock via PIN, just like it exists for the fingerprint reader.
And after, say 3 failed PIN attempts, Password is mandatory.

And this is exactly how Windows 10 handle it.
I think it would be a nice addition for ZorinOS

I am paranoiac....
Its not about someone entering your home (that situation works perfectly for a PIN unlock only).
But if someone get access to your computer from network (Wifi/WAN), then it takes a second to crack your PIN-alike password using john the reaper on /etc/passwd

No, they cannot. etc/passwd does not contain password hashes.

The user password is stored elsewhere, with etc/passwd containing only a placeholder. Only ROOT has access to it.
Getting Network access also would not grant file access, much less Root access.

John The Ripper operates as an Offline Hash cracker. It is a brute force tool for cracking a hash - that you already have access to.
So, the only way an attacker could use it - is if they got in my home, accessed my computer, accessed Root... Then copied the file, and took it away on a USB stick to use a cracker on it... Which would be redundant had they accessed my computer and entered my root password since they clearly would have to know it, to enter it.

Actually ... I either read or saw on TV where it was explained, if your computer is switched on and someone outside has two notebooks and uses air-crack-ng on one of them to illegally commit snarfing to take over your machine. No break-in necessary.

Again, our systems are safer than that.

This sounds a lot like, "I heard they are growing human brains on mice, now!"
No, that also has not happened.

Even getting Wifi access or network access does not enable Linux Access.
How does what you describe work?
Login credentials are not transmitted over the net as text. HTTPS encrypts web traffic, SSH encrypts sessions, and WPA2/WPA3 encrypts Wi-Fi frames. There is no feasible way that packet sniffing, which nominally can only detect unencrypted data, can "take over a machine."

You know that this claim is complete nonsense just from the simple existence of Internet Cafes and Wifi. If there was any truth to it, both of those would be dealing with constant computer take overs.

What is the purpose of... two notebook computers? This is a statement to make something look credible, but is pure theatrics. Two computers, maybe one sniffing as the other deauths, Won't Change Physics.

I miss that too lol! I understand you, but linux security system is build on a different logic to be extremely flexible and extremely secure, so its a trade-off. No linux has a universal way for storing pin keys in the way windows do and for a good reason too. Windows store the pin to TPM but Linux do not enforce TPM by default on top of that windows also use microsoft accounts and the windows hello ecosystem. Linux has so many distros it wouldnt make sense to do that plus they dont need online accounts... so you know... its fine.. i can put the password it is totally worth it for my privacy and for an OS that is fully under your control. You can have alternative though , like fingerprint scanners, face recognition is also gets more care, smartcards, physical key token (like a usb that you just put it in like a key)