I discovered recently that the fingerprint reader on my Laptop (a Lenovo T14 AMD) was well supported on Linux (Debian Bullseye). Enabling fingerprint authentication was very simple.

First, I installed fprintd

$ sudo apt install fprintd libpam-fprintd

Then I enrolled a finger. For example:

$ fprintd-enroll -f right-middle-finger
Enrolling right-middle-finger finger.
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-completed
$ # then verify
$ fprintd-verify 
Using device /net/reactivated/Fprint/Device/0
Listing enrolled fingers:
 - #0: right-middle-finger
 - #1: right-index-finger
Verify started!
Verifying: right-middle-finger
Verify result: verify-match (done)

All good. Now all that was needed was to add the fingerprint requirement to the authentication system, PAM. This is usually done by editing files in /etc/pam.d/ (there is one file per authentication context: login, sudo, gdm, polkit-1, etc), but I discovered that on Debian it could also be managed by pam_auth-update, a small utility that can fill the PAM configuration according to profiles defined in /usr/share/pam-configs/. Conveniently, Debian provides /usr/share/pam-configs/fprintd, which allows to enable fingerprint authentication everywhere, cleanly.

$ sudo  pam-auth-update --enable fprintd

And that’s it! All my former laptop’s fingerprint readers did not have a Linux driver, so I was pretty surprised to see everything worked almost out of the box.

Sources #

• fprintd man page
• pam-auth-update man page