Very very draft, just wanted to publish for others as it ties in with some other open requests. Obviously I need to remove qDebugs and ship the PAM file and tidy everything up, maybe squash the 2 classes...
The problem with fingerprints is that unlike other prompts it cancels out at any time, so if you combine with the normal prompt you can the fingerprint then nothing happens till you hit enter even with a wrong password. The only solution is to create two PAM stacks and run them both simultaneously exiting when one finishes.
The solution here is over-engineered for this one purpose as I was writing something more generic for PAM (initially not for the lockscreen). PAM typically is a horrible thing to wrap for a UI, the authenticate method is blocking and the callbacks that request data are blocking. This approach uses a second thread and 2 more eventloops that are only run inside the worker thread. From a PAM POV, it's still blocking but the GUI thread gets nice signals and slots. It can cancel or be deleted at any time and everything is all thread safe.
This would allow us to replace kcheckpass in an (IMHO) much simpler way without needing any IPC. We have full control over the conversation so we can show pam_deny messages or 2FA or anything else. It would make PAM mandatory though.