Better default policies

The PAM module should not allow authentication if:

the user's password has never been entered
a certain amount of time has passed since the last authentication (fingerprint or not)
after a certain amount of failures to unlock with the fingerprint

It is possible that this should be implemented at a higher level, such as in GDM directly, but that would leave the console with the same "weaker" security.

CC @halfline

Admin message

Better default policies