Fingerprint Authentication on a Lenovo Z13 and Fedora 40

howto fedora fingerprint pam auth

2024-10-27


I've previously used fingerprint authentication on Thinkpads in the very distant past. There have been a lot of changes to the software stack since then, so I had to rediscover how to make the fingerprint reader work. I'm using Fedora 40. I don't actually think any of these instructions are Z13 or Thinkpad specific, but YMMV.

First, install the fprintd package and start the service:

$ sudo dnf install fprintd
$ sudo systemctl enable fprintd

Enrol some fingerprints:

$ fprintd-enroll

You'll need to touch the fingerprint reader multiple times (sometimes many times!) to build the model of your fingerprint. If you want to register a specific finger, you can so with the -f flag. From the man page, the supported finger identifiers are:

For fprintd-enroll, the finger to enroll. Possible values are:

left-thumb,  left-index-finger,  left-middle-finger, left-ring-finger, left-little-finger,
right-thumb,  right-index-finger,  right-middle-finger,  right-ring-finger,  right-little-finger.

Once you have registered your fingerprints, you can check with:

$ fprintd-verify

Next, you need to tell the system to include fingerprint login in the available authentication methods. This was new territory for me, as I wasn't familiar with authselect, which because the default management interface for authentication back in Fedora 28.

To check that fingerprint authentication is available:

$ authselect list-features local

You should see the with-fingerprint capability. Now, we add this to our profile, and then apply the new configuration:

$ sudo authselect enable-feature with-fingerprint
$ sudo authselect apply-changes

Now, reboot the system to apply the new authentication profile. There is probably a way to do this without rebooting, but I didn't research that far. Once rebooted, open a terminal, and invoke something with sudo to test authentication:

$ sudo ls
Place your finger on the fingerprint reader

You should now be able to authenticate.