Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.


The login via gdm is meant to default to a face-browser allowing simple point-and-click user-selection. Only the password-entry will require the user to use the keyboard. It is still possible to type in the login-id instead of selecting the user with a mouse-click on her/his image. This will also cause the set of displayed user-faces to be filtered to the remaining completion-possibilities, thus rendering the remaining images larger and making the hit-area for a mouse-click even bigger.

In order to achieve fast and good looking transitions for this very visual login interface the use of OpenGL is mandatory.

To increase the level of integration tools like MeMaker and cheese are meant to be added to gdm-utilities like gdm-setup and gnome-about-me, so users have very easy means to provide a nice image for their entry in the face-browser.

Release Note

The default layout of the gdm-greeter uses an OpenGL-based face-browser, if the underlying graphics-hardware and driver provide the needed support, in order to provide a more pleasing login-experience. User-selection happens either by clicking on a users image/photo/face or via text-entry.


These days, with composited desktop-environments becoming more and more a standard feature, people expect their whole computing experience to be visually attractive and consistent across all parts of the system. Furthermore do we want to close the gap of visual attractiveness in the different parts of the overall desktop-experience (booting, login, desktop-usage, logout). Ideally the user should not recognize any kind of "gap" when using the computer. This attention to detail in terms of consistent look and behaviour helps give the user a more enjoyable desktop-system and improves a users confidence in the platform s/he is using.

Use Cases

The general advantage of a face-browser for login is the avoidance of superfluous typing. This helps speed up the login-procedure of all people, who are no touch-typists or experienced keyboard users. But even experienced users can enjoy the convenience of being lazy occasionally. It is still possible to login successfully without selecting an image at all just by typing in the login-name and password.

only one user on system: Although an automatic login would streamline the bootup-to-desktop cycle for a single-user system (single in terms of one real person, not "user" in terms of unix-privileges), security-concerns strongly advice against this. The single user will see only her/his photo in the face-browser.

multiple users on system (<=100): In this case a user can either just select her/his image to tell the computer their login-name or start typing the first few characters from her/his login-name and watch the face-browser filter the set of displayed images to fewer images in order to simplify locating their own image in the visible set of images.

multiple users on system (>100): Scalability-issues regarding texture-usage (especially on low-end graphics hardware) and network-latency (setups with that many users are hardly run of local harddisks) demand a fallback to a non-face-browser mode of the gdm-greeter. In that case plain text-entry widgets for login-name and password are used.

idle: When the computer is left running unattended without any user loggeded in, the gdm-greeter should switch to a screensaver-like display without locking input. Any motion of the mouse or pressed key should exit this mode. The screensaver-mode should use e.g. the user photos and make them fly round on the screen, but the user should always be able to identify that it is still the login-screen that is being displayed and not a normal screensaver from another users-session.

The threshold of a 100 users for automatic disabling the face-browser is something that needs to be properly tested during the beta-phase.


For the face-browser the OpenGL 1.3 and the following extensions will be required:

  • GL_ARB_multitexture
  • GL_ARB_fragment_program
  • GL_ARB_texture_rectangle

These OpenGL-limits will be required:


The recommended size for user-images is 256x256 so they will not look to blurry when scaled up. This size will have to be enforced via three means...

  • stock-photos coming with gdm need all to be 256x256
  • any images generated from an avatar-maker need to be 256x256
  • images aquired from a webcam need to be scaled to 256x256

We currently assume that the newly rewritten gdm will be in a shippable state by the time HardyHeron enters beta. Should we forsee that this will not be the case, we will fallback to the old gdm and add the face-browser to the old version. But the work for adding a face-browser to the old gdm isn't a simple task doable in a week. There was some work done in that direction already during an earlier cycle, but it would be at least a month of work to resurrect it.


Here is the newest design superseding the old one as a mockup-movie (Ogg/Theora, no sound, just click to playback)...

Normal login procedure 1 (selecting only via mouse-click on image)...

Normal login procedure 2 (starts typing thus filtering displayed images, selects image via mouse-click when there are fewer choices). There's a username text field to know what is being typed (not on the mock-ups)

User has the caps-lock key activated...

User clicked wrong picture, needs to go back...

Examples for ~25, ~50, ~100 and ~260 faces displayed... as you can easily see with ~100 images displayed it is hard to keep an overview. People will start by typing in the first few characters of their login-id in order to filter the displayed set of images to fewer ones.

Fallback login procedure without face-browser...

Please note that these mockups are only meant to give a general idea of the look we are aiming at and to provide a basis for discussion with the artwork-team. I (MacSlow) am not part of the artwork-team itself, therefore colors, gradients, hues, drop-shadows, "roundness" etc. are just my best guesses and do not reflect the final look of the artwork. Please do not write any article about this stating something else!

The names displayed are meant to be the real names of users and not their login-ids, which are used to log in normally. For the record other OSes display real names of users too in the login-manager. Using the real name instead of the login-id, is a fair compromise between usability and security. From experience it is not too uncommon to have login-ids being rather abstract and not reflecting a users real name at all, thus displaying a users real name with their photo/image is not giving away much. Furthermore the face-browser is meant to work for local users only and not for accounts stored on LDAP or similar directory-services.

The main workload for this spec will come from the OpenGL-based face-browser. There are currently two potential candidates for becoming the rendering library of choice, pigment and clutter. At the time of this writing both lack direct support for implicit-animations and shaders. These two features will have to be added to the API of choice, once that choice has been made. Going down that path will involve a lot of additional design-discussions and work not directly related to this spec.

There is another option for providing the needed OpenGL-boilerplate. That would be to use libgtkglext as windowing-system glue and implement all needed animation- and effects-features from scratch directly via OpenGL.

Theme-support was based on a XML-file in the old gdm. This should be taken over to the new gdm.


Main libraries to be used are...

  • OpenGL
  • cairo
  • pango
  • librsvg
  • gtk+
  • gtkglext

To this list either...


might be added, depding on how results of their evaluation turn out.

The evaluation process will check if the following things are available in the reviewed API...

  • animation-framework allowing implicit animation
  • simple loading of bitmapped images (PNG, JPG) and SVG
  • exposure of GL's mipmapping capabilities in the API itself
  • or easy integration of mipmapping
  • exposure of GL's multitexturing capabilites in the API itself
  • or easy integration of multitexturing
  • exposure of GL's fragment-shading extension in the API itself
  • or easy integration of fragment-shading
  • redirecting gtk+-widgets to offscreen buffers for texture-generation
  • high-quality text-rendering (exposing some of the flexibility like pango offers)

Nearly all elements visible on the gdm-greeter screen will be multi-textured quads using fragment-shading for masking out the face-photos and other elements to get the rounded look. Some parts of the visual assets will be loaded as SVGs or PNGs from which textures will be created. This allows themeability-work by artists. Text display will be handled in a similar fashion. There the initial texture-generation is done via pango. More details will be added once the implementation has started.


Any theme and gdm-setup setting should just work with the new gdm.

During the installation of Ubuntu on a computer the user should be asked for a photo upon creation of the first account. This can either happen by offering the user a set of stock images, allow loading an image-file from an external data-source e.g. an usb-stick or web-page, take a picture with an application like cheese (if a supported webcam is found) or allow the user to create an abstract avatar-photo using a program like MeMaker. All this of course requires a lot of additional integration work that easily exceeds the scope of this spec. It would require ubiquity, Ubuntu's installer tool, to be extended with support for cheese and MeMaker.

Whenever a new user is created it has to be guaranteed, that this new user account gets a unique photo to be displayed in the face-browser. At least the fallback images need to be uniquely assigned. If the user provides her/his own photo (via webcam/cheese, avatar-maker/MeMaker or from self-provided image) we assume it to be a unique photo. To further ensure a user is able to pick the correct photo from the set of images displayed in the face-browser, their real name needs to be displayed with their photo (the login-name is used as a fallback, if no real name was provided upon user-account creation).

In order to cleanly migrate a system configuration with upto 100 users, where no user has a face-image set yet, we need to randomly assign an image from the stock image-set. Users can then afterwards still change their randomly assigned image, should they choose so. This stock image-set needs to be provided by the default installation or after an distro upgrade. The images need to be 256x256 RGB (PNG or JPG) and we need at least 100 different of them.

Test/Demo Plan

It's important that we are able to test new features, and demonstrate them to users. Use this section to describe a short plan that anybody can follow that demonstrates the feature is working. This can then be used during CD testing, and to show off after release.

This need not be added or completed until the specification is nearing beta.

Outstanding Issues

  • It is not clear yet how to provide accessibility for the face-browser.
  • If user-names (no matter if login-name or real name) should be displayed or not with the photos/images will be discussed in a desktop-team meeting (targetted for 22.10.2007, 13:00 UTC, #ubuntu-meeting on freenode IRC)

BoF agenda and discussion


  • Add an option in GDM to disable the login sound (very useful when working in libraries)
  • Enable password-less connections (i.e. users have a password but allow GDM to connect locally without using it)? Another feature we really need for home computers.KDM already has it, I opened a bug on GDM but it is really not active: Could there be a discussion about that? IMHO, it is essential. - Milan71

  • Support pulling faces from LDAP jpegPhoto attribute (that's against some security-policies I was pointed towards by KeesCook, anything coming from directory-services should not be easily browsable with the face-browser, only local users will be displayed)

  • Please add the ability to browse users using the arrow keys.This is one feature that I really miss.Also,a clock in the login screen would be a very welcome addition. --Mahdee Jameel
    • Add an option to have the browser show only logged in users. This would be helpfull when a) multiple people are logged in and b) when there are many(150 in my case) users to choose from. A person should be able to walk up the computer and know if he or she is logged in without scrolling though the whole list.


  • Preliminary note: First, thank you very much for your effort for improving the login experience. During reading the description, some questions arised which I want to discuss afterwards. Please tell me if some of my descriptions are not clear and if you need further design proposals - at the moment I rather focus on criticizing Wink ;-) -- Christoph

  • Screen “Face Browser”:
    • View without filter:
      • Do the users really know that they can filter the list by just start typing? I'm sure many people will miss that opportunity, therefore I propose to add a separate search field.
      • I'm a bit confused concerning “real name” and “login-name” in the specification. At the moment, the filter does consider the “login-name” name only, but the face browser will show the user's “real name”, if available. So the user will see the “real name” on the screen, but the filter will only consider “log-in” name? Here, the filter should rely on the shown data or use both information (Which may lead to other problems if the user filters the “face entries” and some of them do not disappear because the filter accepts data hidden from the current user's view. But this seems less problematic).
      • Do the people really know that the “white areas” can be clicked on? (Sorry, this might be a kind of art design issue.) At the moment they do not look like buttons nor do they behave like hyperlinks. I propose to provide button behavior or (maybe more elegant) a kind of mouse-over event.
      • I seem to missed the information how the “face entries” are sorted (alphabetically?, last login?, ...) or arranged (left to right, up to down?) in the “face browser”. To provide some visual feedback without introducing other UI elements, the face browser could fade in the “face entries” accordingly. (In my point of view, some UI elements could improve the orientation if many entries are available.)
    • View with filter applied:
      • I do not understand how to reset the filter in the “face browser” without filter. If typing filters, does the backward key removes the filter step-by-step, or ESC resets it completely? This information should be more prominent, therefore I propose a “clear filter” control element.
      • If the number of search result is 1, is it necessary to click on the “face entry”? Use Case: This forces the user to move the hand from the keyboard to the mouse to click on the entry. Proposal: It would be nice if there is some kind of auto completion, or pressing ENTER should just select the one entry.
      • I'm not sure how the view is updated; during typing or with some delay? It would be desirable to have some smooth animation when providing the search result to “guide” the view of the user. (Use Case: Maybe the user keeps an eye on an “face entry”. It should not abruptly disappear and reappear at another position.)
  • Screen “Enter Password”:
    • I'm not sure if it is a good idea to separate the information on “user name / log in name” and the password entry.
      • Why? If a set of stock icons is used it may be possible that some users will choose identical icons. Most likely, some users will select the wrong log-in entry although they clicked on the correct graphical symbol.
      • Proposal: Add the user information (log in name, user name) to the dialog.
      • Side effect: This would make it possible to re-use the login screen for the the screen saver password dialog or if too many “face entries” are present on the system. To keep the consistency, the text field could be changed to a text control element.
    • The password dialog groups the information important for the log in. In my point of view, the “caps lock” warning belongs to it, too. Proposal: Move it to the inside of the dialog.
    • I seem to have missed the information what happens, if the if the log in fails (e.g. wrong password entered).
    • What happens, if the user goes back? Will the last screen content be restored, including the filter? Proposal: If no “cancel filter” or “search field” are available, then show “face browser” without filter. If they are available, then restore the last (filtered) view.
    • The buttons for “going back” and “log in” do have the same distance to the login field. In my point of view, the meaning of the buttons is different.
      • Proposal “go back”: Relocate the button to have more distance from the input field. Another wish of mine would be to insert some descriptive text, otherwise users may think this is a “delete last character” button Wink ;-)

      • Proposal “log in”: If used next to the input field, try to merge it with the input field (like the Firefox URL bar). Otherwise the meaning may not be clear enough (There is a similar issue in the “Network” settings window of Gnome.).
  • Miscellaneous:
    • If there is only one user on the system, why show her/him the “face browser”? It may be a good idea to directly jump to the “enter password” screen.
    • Will some standard information/interaction be provided like today (e.g. reboot, shut down)? Especially in computer class rooms or universities it the name of the computer is important (e.g. when calling the administrator...).
    • A non-sense idea Wink ;-) Many PCs are equipped with a webcam. It would be cool if some kind of face recognition can guess the user or at least deactivate the screen saver if somebody is in front of the computer.

  • WOW! Really nice! I just wonder if the filtering feature isn't too hard to detect. Yes, I know: GtkTreeView also has such a feature, well and I am quite sure many users are not aware of it.

    • But for the users that already know gdm, typeahead is nice, because you just type your username as you normally would to log in and gdm finds your user account and selects it by pressing enter.
  • Personally I liked the first version more than the latest video
    • Pictures used more of space of the screen
    • It is clean and easy
    • However some improvements:
      • there is no reason to waste that much space with the ubuntu logo. put it in the background as a watermark or so ...
      • I would like to have a Top Menubar like inside Gnome also in GDM (Ubuntu Logo - Session - System) (Hostname) (Clock)
      • With the Screensaver we have a possibility to leave a message, maybe do this in GDM, too. Typing the Username you want to leave a message for. Have a button and a text field (1 line - that expands as you type) on the bottom to leave a message for the user.
  • While we're thinking about such changes, it could be interesting to build some actual configuration stuff into the login screen. For example, it is not exactly easy or obvious how to create a new user account (log in as a new user...), generally requiring one to log in to an existing account first. That isn't exactly sane when we take into account that a user accounts GNOME session can (potentially) be broken beyond repair necessitating that new account, and slows down the process considerably. It would be a nice touch if the face browser had an "Add User" icon (or "Manage Users") within it. That would lead into a simple user interface (maybe a stripped down GNOME session aimed specifically at gnome-add-user if it can't run straight above GDM) that plugs in to PolicyKit to do the task. The GDM configuration is a similar matter, again made tidier by PolicyKit. -- dylanmccall 2008-09-01 16:09:35

  • And while we're here, I notice that the current mockups are missing Session Type and whatnot. This would work well if there was a combo box type selector in the screen where a user types his password. The visual design here gives us a bit more flexibility for that since each user is represented as an individual card. This could be much more powerful than the existing GDM visual design, since on that end the session type choice is usually "last used session" or "default session" for the chosen user... but the system never actually says what session that is because that session choice dialog is designed to affect whatever user you then log in as. Here, there would be no such problem. Just pick a user, see that the session choice is currently "Failsafe X" so toggle it back to "GNOME". -- dylanmccall 2008-09-01 16:15:45

  • Would one line of text ruin the sleek image we are going for? Because, "Start typing your name, or select from below" would solve a lot of peoples complaints about not finding this feature. Though I imagine that 90% of computer accounts are going to be made up of 1, 4, or 5 users. Though it would be nice to offer options for the last 10% such as schools, they may inevitably end up using guest accounts or text only login fields (as they will typically be over 100). -- adam-w-knox 2009-05-29 18:29:22


DesktopTeam/Specs/GdmFaceBrowser (last edited 2009-05-29 18:29:22 by static-96-227-186-11)