☰ Contents

Linux Fingerprint Reader

January 31, 2024
#linux
#framework

My Framework laptop, which I love, has a built-in fingerprint reader. I didn't realize it before, because the reader is one-and-the-same as the power button!

Of course, once discovered, it had to be put into use. But, how do fingerprints work under Linux?

  1. A hardware device, typically USB, takes the fingerprint.
  2. Software, fprintd, enrolls and verifies fingerprints.
  3. PAM, the Pluggable Authentication Module system for Unix, ties all this into your login system.

Hardware compatibility

The lsusb command gives a long list of input devices. None of them looked like a fingerprint reader, but upon closer inspection we have:

Bus 003 Device 006: ID 27c6:609c Shenzhen Goodix Technology Co.,Ltd. [unknown]

Indeed, it is included in the fprint list of supported devices!

Software installation

On Fedora, this was straightforward. Just remember the PAM module as well, which we'll use later:

sudo dnf install fprintd fprintd-pam

Taking fingerprints

I registered two fingers:

sudo fprintd-enroll stefan -l left-index-finger
sudo fprintd-enroll stefan -l right-index-finger

Note the username as the first argument, otherwise all your fingerprints are belong to root.

Enabling PAM: take 1

Do not do this!

My first attempt to enable fingerprint was:

sudo authselect current
sudo authselect enable-feature with-fingerprint
sudo authselect apply-changes

HOWEVER, this results in both a password and a username being required. And sudo first gives you the option of taking a fingerprint (this can be bypassed with Ctrl-C, and also does not appear when using SSH).

Enabling PAM: take 2

I had no desire to use fingerprints for logging in; I just need an easy way to unlock my screen lock, swaylock.

Fortunately, swaylock has built-in PAM support, but the same concept shown here works for all apps that support PAM, including login.

Following ArchWiki fprintd instructions, I added a PAM profile for swaylock. In /etc/pam.d/swaylock:

EDIT: 2026-03-13: update pam rules

# Try password first; then
# - if password is correct, skip 1 line (skip fprintd) and go to 'required',
# - if it's wrong or empty, 'ignore' and move to the next line (fprintd).
auth    [success=1 default=ignore]  pam_unix.so
auth    sufficient                  pam_fprintd.so

# Fallback
auth    required                    pam_unix.so try_first_pass

# Default permission checks: password expiry, access hours, account lock etc.
account required                    pam_unix.so

If there is an existing line like `auth include login`, you need to comment that out.

By default, swaylock will send through empty passwords to PAM for authentication, which is what we want. But if you have a configuration file in, e.g., ~/.swaylock/config, you may need to comment out ignore-empty-password.

And, voila, either password or fingerprint accepted for unlocking! If you want to require both password and fingerprint, you can use the following profile:

auth    required    pam_unix.so
auth    required    pam_fprintd.so
account required    pam_unix.so

Further improvements

To enable fingerprint and password at the same time, you'd need pam-fprint-grosshack or similar, but I'm happy to press enter before fingerprint.

P.S. This is the first blog post I've written in org-syntax. Hugo supports it seamlessly, and since I keep work journal entries in org-mode anyway, it was a lot easier to copy content this way.