Linux Fingerprint Authentication on ThinkPads

Learn how to enable fingerprint authentication on your ThinkPad with a Linux distro.

Linux Fingerprint Authentication on ThinkPads

I recently got an X1 Carbon (7th generation) and I decided to install Linux Mint 20 on it, primarily because at least two people told me it was a good distro. One of the first things I wanted to get set up was fingerprint authentication so I could easily sign in without using my user password.

Several people have emailed me to let me know that this guide works on other Linux distros like Debian/Ubuntu, and other ThinkPads like the T450 and T460. But note that if you try it on something other than Linux Mint, you may need to install fprintd yourself.

Ubuntu 20.04 comes with improved support for fingerprint authentication, making it work entirely out of the box with any supported reader (which includes the X1C's fingerprint reader). The good news is that since Mint is based off of Ubuntu, many of the improvements carry over. But, of course, there are some caveats. Since much of the improvements made to fingerprint auth are Ubuntu-specific, we will need to:

  1. Update the fingerprint reader's firmware
  2. Install the PAM module for fprintd
  3. Enroll a finger from the command line

Update Reader Firmware

First, let's update the fingerprint reader firmware. Run these commands borrowed from the Arch Linux wiki to update the firmware.

Note: This will also update things like your ThinkPad's BIOS, Thunderbolt controller, etc. so if you only want to update the fingerprint reader, run fwupdmgr get-devices and find the "Prometheus" device – this is the fingerprint reader. Use that device ID in fwupdmgr update [device-id] to only update that specific device.

$ fwupdmgr refresh
$ fwupdmgr get-updates
$ fwupdmgr update

This will check for firmware updates and then update any devices that are out-of-date.

After updating the firmware, you might want to reboot – it's not required in my experience, but it doesn't hurt.

Install PAM Module

⚠️ Heads up: If you have an X1C6 or earlier, it likely uses a Validity fingerprint sensor, which requires a special driver. You can check to see if you have this reader by running lsusb and checking for a "Validity Sensors, Inc" or "Synaptics, Inc." device. Run through the setup here if you have one:

Next, we need to install the PAM module for fprintd so that it can be used as an authentication method alongside a password. Run this commands to do so:

$ sudo apt install libpam-fprintd

Now that the module is installed, we need to tell the system to use it:

$ sudo pam-auth-update

At this screen, make sure "Fingerprint authentication" is selected, then select "Ok" to save.

Enroll Fingerprint

Finally, let's enroll a fingerprint into fprintd so it can be used for authentication. We will be using fprintd-enroll to register a fingerprint. Run this command to enroll a finger:

$ fprintd-enroll -f [finger]

[finger] can be one of:

  • left-thumb
  • left-index-finger
  • left-middle-finger
  • left-ring-finger
  • left-little-finger
  • right-thumb
  • right-index-finger
  • right-middle-finger
  • right-ring-finger
  • right-little-finger

If omitted, it will default to the right index finger. Once run, press a finger on the sensor several times from several different angles. When the program exits, you are done.

If you do not have fprintd-enroll, then you may need to install fprintd with apt. It was already installed in my case.

Once your fingerprint has been enrolled, you can test it out using fprintd-verify, which is a simple application that verifies a fingerprint swipe. Run it, press the finger you just enrolled on the sensor, and it should work!

You should now be able to use your fingerprint as an authentication method anywhere PAM is used (which is basically anywhere you'd normally use your password). To test it out, try locking your machine and signing back in with your fingerprint. If it doesn't prompt you for a finger, try restarting your machine.

I wrote this article because it took me some digging through Reddit, random forum posts, wikis, and Stack Exchange to figure out exactly how to get fingerprint auth working on my X1C7, so I hope this helped at least one person save time on theirs!