From ArchWiki
Jump to navigation Jump to search

From the fprint homepage:

The fprint project aims to plug a gap in the Linux desktop: support for consumer fingerprint reader devices.

The idea is to use the built-in fingerprint reader in some notebooks for login using PAM. This article will also explain how to use regular password for backup login method (solely fingerprint scanner is not recommended due to numerous reasons).


Make sure you have one of the supported finger scanners. You can check if your device is supported by checking list of supported devices. To check which one you have, type:

$ lsusb
Note: The above list of supported devices is not updated regularly and is not complete. Its worth testing your device using the instructions on this page even if it does not appear on that list, prior to resorting to AUR packages.


Install the fprintd package. imagemagick might also be needed.

Some devices require a different fork of libfprint specifically made for touch-based sensors and not (yet?) merged with the main libfprint: libfprint-tod. This is available as libfprint-tod-gitAUR


Login configuration

  • If you use GDM, the fingerprint-option is already available in the login menu (if not add yourself to the input group). You can skip this section!
  • If you use SDDM, see SDDM#Using a fingerprint reader.

Add pam_fprintd.so as sufficient to the top of the auth section of /etc/pam.d/system-local-login:

auth      sufficient pam_fprintd.so
auth      include   system-login

This tries to use fingerprint login first, and if it fails or if it finds no fingerprint signatures in the given user's home directory, it proceeds to password login.

You can also modify other files in /etc/pam.d/{login,su,sudo,gdm,lightdm} in the same way, for example /etc/pam.d/polkit-1 for GNOME polkit authentication or /etc/pam.d/kde to unlock KDE's lockscreen.

Adding pam_fprintd.so as sufficient to any configuration file in /etc/pam.d/ when a fingerprint signature is present will only prompt for fingerprint authentication. This prevents the use of a password if you cannot Ctrl+c fingerprint authentication (due to the lack of a shell). In order to use either a password or a fingerprint in a graphical interface, add the following line to the top of any files required:

auth		sufficient  	pam_unix.so try_first_pass likeauth nullok
auth		sufficient  	pam_fprintd.so

This will prompt for a password; pressing Enter on a blank field will proceed to fingerprint authentication.

Create fingerprint signature

You will need to have an authentication agent running before being able to enroll.

To add a signature for a finger, run:

$ fprintd-enroll

or create a new signature for all fingers:

$ fprintd-delete "$USER"
$ for finger in {left,right}-{thumb,{index,middle,ring,little}-finger}; do fprintd-enroll -f "$finger" "$USER"; done

You will be asked to scan the given finger. Swipe your right index finger five times. After that, the signature is created in /var/lib/fprint/.

For more information, see fprintd(1).

Restrict enrolling

By default you are allowed to enroll new fingerprints without prompting for the password or the fingerprint. You can change this behavior using Polkit rules.

There are two locations that contains the polkit configuration files:

  • /etc/polkit-1/rules.d/
  • /usr/share/polkit-1/rules.d/
Note: You should not modify the files under /etc/polkit-1/rules.d because they will be overwritten on update. Copy them in /usr/share/polkit-1/rules.d/ first.

In the following example only superuser can enroll fingerprints:

polkit.addRule(function (action, subject) {
  if (action.id == "net.reactivated.fprint.device.enroll") {
    return subject.user == "root" ? polkit.Result.YES : polkit.Result.NO


No devices available

If your supported device cannot be found or is claimed to be already open (in use), check fprintd logs with:

# journalctl -u fprintd.service

You may find log entries like:

fprintd[2936592]: Corrupted message received
fprintd[2936592]: Ignoring device due to initialization error: unsupported firmware version

Ensure your device's firmware is up to date with Fwupd.