Better default policies
The PAM module should not allow authentication if:
- the user's password has never been entered
- a certain amount of time has passed since the last authentication (fingerprint or not)
- after a certain amount of failures to unlock with the fingerprint
It is possible that this should be implemented at a higher level, such as in GDM directly, but that would leave the console with the same "weaker" security.