Fingerprint reader authentication adds a layer of biometric security to Linux systems, letting you authenticate with a finger swipe instead of typing passwords. The fprintd project provides the tools needed to enroll fingerprints and integrate them with PAM (Pluggable Authentication Modules) for login, sudo, and screen unlock on any Linux distribution.
This guide walks through detecting your fingerprint reader, installing fprintd, enrolling fingerprints, and enabling PAM-based fingerprint authentication on Ubuntu, Debian, Fedora, RHEL, Rocky Linux, and Arch Linux. Every step includes verification so you can confirm it works before moving on.
Prerequisites
- A Linux system with a built-in or USB fingerprint reader
- Root or sudo access
- A desktop environment (GNOME, KDE Plasma, or similar) for graphical login integration
- Supported fingerprint reader – check the libfprint supported devices list for compatibility
Step 1: Check if Your Fingerprint Reader is Detected
Before installing anything, confirm that Linux recognizes your fingerprint hardware. Run lsusb to list all USB devices and look for entries mentioning fingerprint, biometric, or the sensor manufacturer (Synaptics, Elan, Goodix, Validity, etc.).
lsusbLook for a line referencing your fingerprint sensor. Common entries look like this:
Bus 001 Device 004: ID 06cb:00bd Synaptics, Inc. Prometheus MIS Touch Fingerprint Reader
Bus 001 Device 003: ID 04f3:0c1a Elan Microelectronics Corp. ELAN:FingerprintIf you see your fingerprint reader listed, the kernel has detected the hardware. If nothing shows up, your reader may need a proprietary driver or is not supported by libfprint. You can also filter the output to narrow down the search.
lsusb | grep -iE "fingerprint|biometric|goodix|synaptics|elan|validity"For a more detailed view of the device, use lsusb -v with the device vendor and product ID. You can also check hardware information on Linux using dmidecode for additional details about your system hardware.
Step 2: Install fprintd and libpam-fprintd
fprintd is the fingerprint daemon that communicates with your reader through libfprint, while pam_fprintd is the PAM module that handles authentication. Install both along with their dependencies.
On Ubuntu and Debian:
sudo apt update
sudo apt install fprintd libpam-fprintdOn Fedora:
sudo dnf install fprintd fprintd-pamOn RHEL 10, Rocky Linux 10, and AlmaLinux 10:
sudo dnf install fprintd fprintd-pamOn Arch Linux:
sudo pacman -S fprintdAfter installation, verify that the fprintd service is available and running.
systemctl status fprintdThe service starts on demand through D-Bus activation, so it may show as inactive until a fingerprint operation triggers it. That is normal. If you want to manage systemd services manually, you can start it with systemctl start fprintd.
Step 3: Enroll Fingerprints with fprintd-enroll
Fingerprint enrollment scans your finger multiple times to build a reliable template. The fprintd-enroll command handles this process. Run it as your regular user (not root) to enroll for the currently logged-in account.
fprintd-enrollThe command prompts you to swipe or place your finger on the reader multiple times. You will see output similar to this:
Using device /net/reactivated/Fprint/Device/0
Enrolling right-index-finger finger.
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-completedBy default, fprintd-enroll registers your right index finger. To enroll a different finger, specify it with the -f flag. Available finger names are: left-thumb, left-index-finger, left-middle-finger, left-ring-finger, left-little-finger, right-thumb, right-index-finger, right-middle-finger, right-ring-finger, right-little-finger.
fprintd-enroll -f left-index-fingerEnroll at least two fingers (one from each hand) so you have a backup if one finger is injured or wet. To enroll a finger for a different user, run the command as root with the username.
sudo fprintd-enroll usernameTo see which fingers are enrolled for your account:
fprintd-list $USERThis shows all enrolled fingerprints and the device being used:
found 1 devices
Device at /net/reactivated/Fprint/Device/0
Using device /net/reactivated/Fprint/Device/0
Fingerprints for user jkmutai on Synaptics Sensors (press):
- #0: right-index-finger
- #1: left-index-fingerStep 4: Verify Fingerprint Enrollment
After enrollment, test that the reader can successfully match your finger against the stored template. The fprintd-verify command does a one-time verification scan.
fprintd-verifyPlace your enrolled finger on the reader when prompted. A successful verification looks like this:
Using device /net/reactivated/Fprint/Device/0
Listing enrolled fingers:
- #0: right-index-finger
Verify result: verify-match (done)If verification fails with verify-no-match, the scan did not match the enrolled template. Try again with a clean, dry finger placed flat on the sensor. If it consistently fails, delete the enrollment and re-enroll.
fprintd-delete $USER
fprintd-enrollMake sure to swipe slowly and consistently during enrollment for better recognition accuracy.
Step 5: Enable PAM Fingerprint Authentication
With fingerprints enrolled and verified, the next step is enabling PAM to accept fingerprint scans as a valid authentication method. This is what ties fprintd into the system login, sudo, and screen lock flows.
Ubuntu and Debian
On Debian-based systems, use the pam-auth-update tool which safely manages PAM configuration.
sudo pam-auth-updateA text-based dialog appears listing available authentication methods. Use the arrow keys and spacebar to enable “Fingerprint authentication”, then press Tab to select OK and hit Enter. The tool updates all necessary PAM configuration files automatically.
You can verify the change was applied by checking the common-auth PAM file:
grep fprintd /etc/pam.d/common-authYou should see a line referencing pam_fprintd.so:
auth [success=2 default=ignore] pam_fprintd.so max_tries=1 timeout=10Fedora, RHEL, Rocky Linux, and AlmaLinux
On Red Hat family distributions, use authselect to enable fingerprint authentication alongside existing methods.
sudo authselect enable-feature with-fingerprintConfirm the feature is active:
authselect currentThe output should show with-fingerprint in the list of enabled features:
Profile ID: sssd
Enabled features:
- with-fingerprint
- with-silent-lastlogArch Linux
On Arch Linux, PAM configuration is manual. Edit the system-local-login PAM file to add fingerprint support.
sudo vi /etc/pam.d/system-local-loginAdd this line at the top of the file, before any other auth lines:
auth sufficient pam_fprintd.soThe sufficient keyword means a successful fingerprint scan grants access immediately. If the scan fails (wrong finger, timeout), PAM falls back to the next authentication method – typically password.
Step 6: Configure Fingerprint Authentication for sudo
Enabling fingerprint authentication for sudo lets you run privileged commands by swiping your finger instead of typing your password. This is useful on laptops where typing a password at the terminal is less convenient.
Ubuntu and Debian
If you enabled fingerprint authentication through pam-auth-update in Step 5, sudo already picks it up automatically through the common-auth include. Test it right away.
sudo whoamiYou should be prompted to swipe your finger. After a successful scan, the command returns root without asking for a password.
Fedora, RHEL, Rocky Linux, and AlmaLinux
The authselect enable-feature with-fingerprint command from Step 5 handles sudo integration automatically on Red Hat family systems. Verify by running a sudo command and checking if the fingerprint prompt appears.
Arch Linux
For Arch, you need to add the fprintd PAM line to the sudo configuration specifically.
sudo vi /etc/pam.d/sudoAdd this line at the top, before other auth entries:
auth sufficient pam_fprintd.soAfter saving, test with sudo whoami. The terminal will wait for a fingerprint scan. If you do not swipe within the timeout period (default 30 seconds), it falls back to password. Adding two-factor authentication for SSH alongside fingerprint auth provides even stronger access control for your system.
Step 7: Configure Fingerprint Authentication for Graphical Login
Most modern display managers support fingerprint login when PAM is configured correctly. The login screen shows a fingerprint icon or prompt when a reader is available and enrolled fingerprints exist.
GNOME (GDM)
GNOME has built-in fingerprint support through its Settings panel. If fprintd is installed and PAM is configured, GDM automatically offers fingerprint login at the lock screen and login screen. You can also manage enrolled fingerprints from the GUI.
Open GNOME Settings and navigate to Users. Click on “Fingerprint Login” to enroll or manage fingerprints through the graphical interface. This is an alternative to the command-line fprintd-enroll method.
If fingerprint login does not appear on the GDM login screen, verify the PAM configuration is active and restart GDM.
grep fprintd /etc/pam.d/gdm-fingerprintYou should see pam_fprintd.so referenced in the GDM fingerprint PAM file:
auth required pam_fprintd.soIf GDM still does not show the fingerprint option, restart the display manager:
sudo systemctl restart gdmKDE Plasma (SDDM)
SDDM does not have native fingerprint support built into its login screen in most current versions. However, fingerprint authentication still works for screen unlock and sudo within a KDE Plasma session when PAM is configured.
To enable fingerprint support for the KDE lock screen, check that the PAM file for KDE screen locker includes fprintd.
sudo vi /etc/pam.d/kdeAdd the fprintd line at the top of the auth section if it is not already present:
auth sufficient pam_fprintd.soKDE Plasma 6.x has improved fingerprint integration. If you are running an older version, upgrading to the latest KDE Plasma release provides better biometric support.
Step 8: Troubleshoot Fingerprint Reader Issues
Fingerprint authentication depends on hardware compatibility, driver support, and correct PAM configuration. Here are the most common issues and their solutions.
Reader Not Detected by lsusb
If lsusb does not show your fingerprint reader at all, the issue is at the hardware or kernel level. Check if the device appears in the kernel messages.
dmesg | grep -i fingerprintIf there are no entries, try these fixes:
- Update your kernel to the latest available version – newer kernels add support for more readers
- Check BIOS/UEFI settings – some laptops allow disabling the fingerprint reader in firmware
- Try a different USB port if using an external reader
Reader Detected but fprintd Cannot Use It
Some readers are detected by the kernel but not supported by libfprint. Check if your specific device is in the supported list.
fprintd-list $USERIf you get an error like “No devices available”, your reader is not supported by the installed version of libfprint. Options include:
- Update libfprint to the latest version – new releases frequently add device support
- Check if a proprietary driver exists from the hardware vendor (common for Goodix and some Synaptics readers)
- For Goodix readers on newer laptops, the
libfprint-todpackage or goodix-fp-linux-driver may be needed
Permission Denied Errors
If fprintd-enroll fails with permission errors, the D-Bus policy or polkit rules may be blocking access. Check that your user is in the correct group and that the fprintd service is running.
systemctl status fprintdIf the service is not running, start it manually:
sudo systemctl start fprintdFor polkit-related denials, check the authentication agent is running. On GNOME, this is handled automatically. On minimal window managers, you may need to start a polkit agent manually.
/usr/lib/polkit-gnome/polkit-gnome-authentication-agent-1 &Review journal logs for detailed error messages if problems persist:
journalctl -u fprintd -b --no-pagerThe log output shows exactly which step is failing – device initialization, enrollment, or verification – and helps pinpoint the root cause. Following security best practices for Linux alongside biometric authentication strengthens your overall system security posture.
Fingerprint Works but Timeout is Too Short
If the fingerprint prompt disappears too quickly before you can scan, adjust the timeout in the PAM configuration. Edit the relevant PAM file and set a longer timeout value.
auth sufficient pam_fprintd.so max_tries=3 timeout=30The max_tries=3 allows three scan attempts, and timeout=30 gives 30 seconds per attempt before falling back to password authentication.
Delete and Re-enroll Fingerprints
If recognition accuracy degrades over time, delete existing fingerprints and start fresh. This is also useful when switching to a different fingerprint reader.
fprintd-delete $USERAfter deletion, re-enroll using the steps from Step 3. For the best recognition rate, enroll each finger with a clean, dry fingertip and vary the angle slightly between scans so the template covers different positions.
Conclusion
You now have fingerprint reader authentication configured through PAM on Linux, covering sudo, graphical login, and screen unlock. The fprintd daemon handles communication with the reader hardware, and the pam_fprintd module integrates seamlessly into the standard authentication stack.
For production workstations, keep password authentication as a fallback – fingerprint readers can fail with wet or damaged fingers, and biometric data alone should not be the only authentication method. Pair fingerprint login with disk encryption and strong passwords for a complete security setup.
