The return of "Unlock via PIN"

Hi all

I am missing a Windows feature which is to unlock the computer with a simple PIN.

I know there's this solution posted there Zorin 17.2 - Unlock via PIN?
But I dont like it as it deforces security the way it is done.

According to me, unlocking a device with a PIN code instead of password, is not dangerous as long as you specify a maximum number of attempts (1-3), also security can be improved if you have a 6 digit PIN code instead of 4. Additionally, there's almost zero risk if its on a static desktop computer lying in your family house's...

I would like to see such a functionality added to Zorin OS, with proper configuration options.

Thanks.

I just set my password as a PIN...

Hi and welcome.

@Aravisian - ?

I use complicated passwords for things that need security.
But for my Login on my computer at home, at the point when you create your user password, I just select a four digit number, rather than a long complex string.

I remember avoiding 4 digits where possible as a long time ago as a student I borrowed someones calculator to run n! - 4 digits only takes 1023 permutation guesses to obtain it! I use 16 alpha/numeric/special character passwords. Period.

I used Perplexity A.I. search engine and used Ubuntu 24.04 in my search criteria as Zorin is a fork of it:

"how to get 6-digit pin with limited attempts in ubuntu 24.04

To use a 6‑digit PIN with limited login attempts on Ubuntu 24.04, you typically combine two things: a PIN-based authentication method and a PAM “lockout” module that caps failed attempts and temporarily locks the account.

Below is one common approach that stays reasonably safe while behaving similarly to a Windows‑style PIN. These steps assume you are comfortable editing PAM files and can recover from misconfiguration (e.g., via TTY/Recovery mode).
Decide what “6‑digit PIN” means

You have two main options:

Set your actual account password to a 6‑digit numeric value

Easiest technically, but weak because the same PIN is used for login and sudo.

Configure a separate “PIN file” via PAM, keeping your real strong password for sudo

More secure, and closer to how Windows separates PIN from account password.

If security matters, use the second approach.
Using a separate PIN via PAM

The basic idea is:

Create a password file containing a hashed 6‑digit PIN for your user.

Tell PAM (for gdm, sudo, etc. as you like) to accept that PIN in addition to your normal password.

Typical high‑level steps:

Install the PAM helper:

    sudo apt install libpam-pwdfile whois.

Create a PIN file:

Run mkpasswd -5 and enter your 6‑digit PIN when asked, then create a file like /etc/custompinfile containing username:hash and restrict its permissions.

Edit the relevant PAM file (for example /etc/pam.d/gdm-password for graphical login) and add near the top:

auth sufficient pam_pwdfile.so pwdfile=/etc/custompinfile.

Log out and test that the PIN works at the login screen while your regular password still works for sudo.

Because this touches PAM, always back up the original file (e.g., sudo cp /etc/pam.d/gdm-password{,_backup}) and ensure you still have a root shell or TTY in case of mistakes.

​Limiting attempts for the PIN

To limit the number of failed PIN (or password) attempts, use a PAM lockout module such as pam_faillock (or pam_tally2 on older setups). This can apply to all auth, including PIN‑based logins.

​High‑level steps (example with pam_faillock):

Ensure the faillock module is present (on Ubuntu 24.04 it generally is).

Edit /etc/pam.d/common-auth (affects most local logins via PAM) and add lines similar to:

    auth requisite pam_faillock.so preauth silent

    auth [success=4 default=ignore] pam_unix.so nullok

    auth [default=die] pam_faillock.so authfail

    auth sufficient pam_faillock.so authsucc.

Configure limits in /etc/security/faillock.conf (or via module options), e.g.:

deny = 3 (lock after 3 failed attempts)

unlock_time = 300 (lock for 5 minutes)

fail_interval = 900 (count failures within a 15‑minute window).

Test on a non‑critical account first, verify that:

After N wrong PINs, the account is locked.

faillock --user username shows failures, and faillock --user username --reset unlocks it.

This mechanism does not care whether the failures are from a PIN file or a normal password; it simply reacts to failed authentication events.
Safer alternative: 6‑digit code as 2FA

If your goal is “something like a 6‑digit code” but you do not strictly need it as the only secret, a time‑based one‑time password (TOTP) such as Google Authenticator is safer:

You keep a strong account password.

You add a 6‑digit code from an authenticator app (rotates every 30 seconds) as a second factor.

Typical steps:

sudo apt install libpam-google-authenticator on Ubuntu 24.04.

​Run google-authenticator (per user) to generate a QR code and 6‑digit TOTP secrets.

​Add auth required pam_google_authenticator.so to /etc/pam.d/sshd for SSH or appropriate PAM files for local logins.

Configure SSH or display manager to require both password and 6‑digit code.

This gives you the 6‑digit behavior plus strong security, at the cost of needing a phone.

Practical recommendations

For convenience with some risk:

Use a PAM PIN file, plus pam_faillock with a low deny value (e.g., 3) to mitigate brute force.

For best security:

Keep a strong password.

Add TOTP (Google Authenticator, etc.) to get a 6‑digit code on login.

Still use pam_faillock for password attempts.

Always:

Test on a spare account first.

Keep a root-capable recovery path (TTY/recovery mode) in case PAM configuration blocks you.

If you say exactly what context you want the 6‑digit PIN for (graphical login, sudo, SSH, or all of them), a tailored set of concrete config lines can be provided."

No one is going to enter my home and try to hack into my computer.
A four digit PIN is all I need in my home.
Anything beyond that is either paranoia - or I am misbehavin'

Or as I regularly get called, #Mr. Pedantic# (to the rapper hit song of #Mr. Bombastic#!)