Hi Yaron, Thanks for taking time to looking into this issue. We appreciate the analsys you did, although as we already shared privately we don't think that this is a fprintd issue, but rather an architectural issue of how PAM modules interact with sudo that by design does not permit an additional attention mechanism beyond displaying a prompt in the terminal. It's important to note that no graphical PAM frontend that we are aware of is affected by this problem. For example the PolicyKit dialog that gnome-shell integrates and also the GDM login and lock screens will properly ensure user attention. Said differently, there should be no user attention issue as long as fingerprint authentication is restricted to properly implemented graphical frontends. This is a policy decision for administrators and distributors to ensure using the PAM configuration. We would like to point out that similar behaviors may occur with any PAM module, that uses an out-of-band authentication mechanism (whether using another device or not) which doesn't require the user to pay attention to the main device (SSO, web authentication, hardware-token based, …).