Translation(s): English - Français
Fingerprint authentication is available in Debian through the fprint project. See the list of supported devices.
Installation
Install packages fprintd (for managing fingerprints) and libpam-fprintd (for enabling fingerprint log in)
# apt install fprintd libpam-fprintd
Configuration
Fingerprints can be added via the CLI command fprintd-enroll or by the GUI interfaces of various desktop environments, such as GNOME's Settings GUI or KDE's System Settings (under System / Users / Configure Fingerprint Authentication).
If fprintd-enroll is run (by the user wishing to enroll his fingerprint) without any arguments, it will request the current user's password, and after a successful authentication will start enrolling the right index finger.
When you see something like the following lines in the terminal output:
Using device /net/reactivated/Fprint/Device/0 Enrolling right-index-finger finger.
start touching (or swiping, depending on your device type) the sensor with your right index finger. To each correctly registered touch, the program will react with a line like the following:
Enroll result: enroll-stage-passed
Continue touching the sensor, placing your finger at a different angle each time, until the program reports Enroll result: enroll-completed and quits.
At this point, you should be able to login in your display manager (e.g., GDM, LightDM, or SDDM) using your right index finger. GDM, for example, will display "(or swipe finger)" under the password field when prompting for user password. SDDM will display a similar message. The normal password login will still be available.
You can also verify that your fingerprint was enrolled correctly by running:
$ fprintd-verify
Other helpful commands are fprintd-list fprintd-delete. See man fprintd.1 for more information.
Fingerprint Authentication
To enable fingerprint authentication on a system-wide basis, run:
# pam-auth-update
and enable the "Fingerprint authentication" profile by checking the corresponding checkbox and then pressing "OK" (see Screenshot pam-auth-update).
Or simply run:
# pam-auth-update --enable fprintd
This will enable fingerprint authentication in various system facilities, such as sudo and desktop environments / display managers (e.g., KDE / SDDM). Generally, password authentication will still be possible. For example, sudo will initially request fingerprint authentication. If the user does not authenticate with a fingerprint, sudo will request password authentication after a timeout.
Screenshot pam-auth-update
CategoryPortal | CategorySystemAdministration | CategorySystemSecurity
Caveats
There are a few caveats, or quirks to keep in mind when using fingerprint authentication.
- At least as of this edit, in Bookworm, the background "fprintd" process, that is owned by root, will sometimes interfere with a non-root user's ability to enroll fingerprints. If this happens, simply kill that process and, if you are using the Gnome settings GUI to enroll fingerprints, just close and reopen the enrollment window after the "fprintd" process has been killed. You should then be able to properly enroll your fingerprints.
- If you use your fingerprint for your initial login, you will still be required to enter your password to unlock your desktop environment's keyring/wallet, unless you opted not to encrypt it with your password when it was created. Much like a smart phone, these services use that password to encrypt their content locally on your drive, so it seems the best practice for using fingerprint authentication is log in initially with your real password to make sure all services get unlocked or started properly, then use your fingerprint for unlocking the screen, running commands with sudo, etc.
