Linux Fingerprint Authentication on ThinkPads
Learn how to enable fingerprint authentication on your ThinkPad with a Linux distro.
I recently got an X1 Carbon (7th generation) and I decided to install Linux Mint 20 on it, primarily because at least two people told me it was a good distro. One of the first things I wanted to get set up was fingerprint authentication so I could easily sign in without using my user password.
Several people have emailed me to let me know that this guide works on other Linux distros like Debian/Ubuntu, and other ThinkPads like the T450 and T460. But note that if you try it on something other than Linux Mint, you may need to install
Ubuntu 20.04 comes with improved support for fingerprint authentication, making it work entirely out of the box with any supported reader (which includes the X1C's fingerprint reader). The good news is that since Mint is based off of Ubuntu, many of the improvements carry over. But, of course, there are some caveats. Since much of the improvements made to fingerprint auth are Ubuntu-specific, we will need to:
- Update the fingerprint reader's firmware
- Install the PAM module for
- Enroll a finger from the command line
Update Reader Firmware
First, let's update the fingerprint reader firmware. Run these commands borrowed from the Arch Linux wiki to update the firmware.
Note: This will also update things like your ThinkPad's BIOS, Thunderbolt controller, etc. so if you only want to update the fingerprint reader, run
fwupdmgr get-devices and find the "Prometheus" device – this is the fingerprint reader. Use that device ID in
fwupdmgr update [device-id] to only update that specific device.
$ fwupdmgr refresh $ fwupdmgr get-updates $ fwupdmgr update
This will check for firmware updates and then update any devices that are out-of-date.
After updating the firmware, you might want to reboot – it's not required in my experience, but it doesn't hurt.
Install PAM Module
⚠️ Heads up: If you have an X1C6 or earlier, it likely uses a Validity fingerprint sensor, which requires a special driver. You can check to see if you have this reader by running
lsusband checking for a "Validity Sensors, Inc" or "Synaptics, Inc." device. Run through the setup here if you have one: https://github.com/uunicorn/python-validity#setting-up
Next, we need to install the PAM module for
fprintd so that it can be used as an authentication method alongside a password. Run this commands to do so:
$ sudo apt install libpam-fprintd
Now that the module is installed, we need to tell the system to use it:
$ sudo pam-auth-update
At this screen, make sure "Fingerprint authentication" is selected, then select "Ok" to save.
Finally, let's enroll a fingerprint into
fprintd so it can be used for authentication. We will be using
fprintd-enroll to register a fingerprint. Run this command to enroll a finger:
$ fprintd-enroll -f [finger]
[finger] can be one of:
If omitted, it will default to the right index finger. Once run, press a finger on the sensor several times from several different angles. When the program exits, you are done.
If you do not have
fprintd-enroll, then you may need to install
apt. It was already installed in my case.
Once your fingerprint has been enrolled, you can test it out using
fprintd-verify, which is a simple application that verifies a fingerprint swipe. Run it, press the finger you just enrolled on the sensor, and it should work!
You should now be able to use your fingerprint as an authentication method anywhere PAM is used (which is basically anywhere you'd normally use your password). To test it out, try locking your machine and signing back in with your fingerprint. If it doesn't prompt you for a finger, try restarting your machine.
I wrote this article because it took me some digging through Reddit, random forum posts, wikis, and Stack Exchange to figure out exactly how to get fingerprint auth working on my X1C7, so I hope this helped at least one person save time on theirs!