Guide

How to Enable the Fingerprint Reader in Linux on the Framework Laptop

This article describes the process for enabling the fingerprint reader on Linux using the fprintd service. Linux Mint and a Framework laptop based on the AMD Ryzen platform is used as an example for this guide.

How to Enable the Fingerprint Reader in Linux on the Framework Laptop

Microsoft Windows has evolved over the years to support a diverse range of hardware out of the box. This is includes the recently introduced range of Framework laptops, particularly the AMD Ryzen variants.

Although these devices have fully support for Linux, this support is primarily focussed to achieve maximum compatibility with Ubuntu... so far.

I have been using Linux Mint, as my primary operating system, for almost two years. So I installed Mint on the Framework laptop. The device I used had the Ryzen 7, and the standard Goodix fingerprint reader, which is built into the power button on all Framework laptops.

The default installation of Mint does not make it very obvious that there is support for the fingerprint reader.

Upon searching the internet for solution, the answer was found in none other than the Linux Mint forums.

User jodarove has provided a step-by-step guide in a post on the Mint forums.[1]

This post summarizes the steps required to enable the fingerprint reader and start using it.

Hardware Identification

Before proceeding, it is important to ensure that the hardware is supported.

Identify the exact hardware by checking its USB ID.

lsusb

This should list all the USB devices, including the fingerprint reader (which is internally connected via USB).

Here's an excerpt from an example output.

Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 32ac:0003 Framework DisplayPort Expansion Card
Bus 001 Device 003: ID 27c6:609c Shenzhen Goodix Technology Co.,Ltd. Goodix Fingerprint USB Device
Bus 001 Device 004: ID 0e8d:e616 MediaTek Inc. Wireless_Device
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub

In this example, the fingerprint reader is found on Bus 001 Device 003

Bus 001 Device 003: ID 27c6:609c Shenzhen Goodix Technology Co.,Ltd. Goodix Fingerprint USB Device

The USB ID in this example is 27c6:609c.

Check if the USB ID of your device's fingerprint reader can be found on libfprint's supported devices list here.

Setup

Install fprintd

fprintd is a software service that facilitates fingerprint scanning functionality.[2]

sudo apt install fprintd

Install the Associated PAM Module

The fprintd suite also includes a PAM module to implement user login. Install the library/module PAM module.

sudo apt install libpam-fprintd

Add Fingerprint as a Recognized Authentication Method

The fprintd PAM module integrates into the system's authentication mechanism.

Run the following command to invoke the selection screen.

sudo pam-auth-update

sudo pam-auth-update.png

Fingerprint Management

Unfortunately this process does not provide any GUI to enroll fingerprints. However the fprintd suite also provides CLI tools to manage fingerprints. These can be used by all users, without escalated privileges.

  • fprintd-enroll
  • fprintd-verify
  • fprintd-list
  • fprintd-delete

All of the above commands require, at least, the authentication for the user being queried.

Enroll Fingerprints

Use the fprintd-enroll command to register a fingerprint. Although parameters are optional, the finger being enrolled can be specified with the --finger or -f argument.

The following options are acceptable.

  • left-thumb
  • left-index-finger
  • left-middle-finger
  • left-ring-finger
  • left-little-finger
  • right-thumb
  • right-index-finger
  • right-middle-finger
  • right-ring-finger
  • right-little-finger

So the command for enrolling the index finger on the right hand would be as follows:

fprintd-enroll -f right-little-finger

If you are familiar with enrolling fingerprints on other platforms like Windows, iOS or Android, the process is very similar. The command continously prompts to scan various regions of the finger, in stages, until it gets a complete scan.

Using device /net/reactivated/Fprint/Device/0
Enrolling right-little-finger finger.
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-retry-scan
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-completed

List Enrolled Fingers

A list of enrolled fingers can be obtained by running the fprintd-list command. It requires the username as an argument.

So, to list the enrolled fingers for the user peter, the following command can be run.

fprintd-list peter

This command will prompt for peter's password. If this command is being run by a user from the sudo group, they may be able to authenticate.

found 1 devices
Device at /net/reactivated/Fprint/Device/0
Using device /net/reactivated/Fprint/Device/0
Fingerprints for user peter on Goodix MOC Fingerprint Sensor (press):
 - #0: right-thumb
 - #1: left-index-finger
 - #2: right-index-finger

Verify Enrolled Finger

fprintd also provides a utility to verify a previous enrolled fingerprint. It accepts the specific finger to verify as a parameter for the -f switch.

For example, to verify if the right-index-finger is enrolled correctly, the following command may be run.

fprintd-verify -f right-index-finger

It will wait until any finger is scanned; and will then output the result

Here's an example result of a successful match.

Using device /net/reactivated/Fprint/Device/0
Listing enrolled fingers:
 - #0: right-thumb
 - #1: left-index-finger
 - #2: right-index-finger
Verify started!
Verifying: right-index-finger
Verify result: verify-match (done)

Here's an example result of a failed match.

Using device /net/reactivated/Fprint/Device/0
Listing enrolled fingers:
 - #0: right-thumb
 - #1: left-index-finger
 - #2: right-index-finger
Verify started!
Verifying: right-index-finger
Verify result: verify-no-match (done)

Delete Fingerprint

fprintd's fprintd-delete utility deletes a previous enrolled fingerprint.

Here's the command to delete the fingerprint enrolled as left-little-finger

fprintd-delete -f left-little-finger

Known Limitations

Keyring

Most Linux distributions have a built-in keyring service which protects secrets for each user. Usually, this keyring is locked with the user's account password.

When a user logs in with their enrolled fingerprint, the fprintd PAM module authenticates the user, but this does not unlock the keyring.

Typically, when this happens, the desktop environment will prompt the user for a password to unlock the keyring. The user will have to enter their password at this prompt to take advantage of the keyring functionality.

References

  1. https://forums.linuxmint.com/viewtopic.php?t=408129 ↩︎

  2. https://fprint.freedesktop.org/ ↩︎

Photo by George Prentzas / Unsplash

Join the voyage for free