Jump to content

Fingerprint scanner

From NixOS Wiki
Revision as of 20:27, 19 October 2025 by Frontear (talk | contribs) (don't encourage enabling fprintd service at boot, this goes against upstream wishes and can lead to possible hardware damage, as many fingerprint scanners are not intended to remain "active" for a long time. it is more appropriate for the service to activate via dbus when it is needed, to greatly reduce this risk.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Fingerprint scanners (on laptop computers) can be used to unlock devices instead of using passwords.

Install

# configuration.nix
{ config, lib, pkgs, ... }: {
  # ...

  # Install the driver
  services.fprintd.enable = true;
  # If simply enabling fprintd is not enough, try enabling fprintd.tod...
  services.fprintd.tod.enable = true;
  # ...and use one of the next four drivers
  services.fprintd.tod.driver = pkgs.libfprint-2-tod1-goodix; # Goodix driver module
  # services.fprintd.tod.driver = pkgs.libfprint-2-tod1-elan; # Elan(04f3:0c4b) driver
  # services.fprintd.tod.driver = pkgs.libfprint-2-tod1-vfs0090; # (Marked as broken as of 2025/04/23!) driver for 2016 ThinkPads
  # services.fprintd.tod.driver = pkgs.libfprint-2-tod1-goodix-550a; # Goodix 550a driver (from Lenovo)

  # however for focaltech 2808:a658, use fprintd with overidden package (without tod)
  # services.fprintd.package = pkgs.fprintd.override {
  #   libfprint = pkgs.libfprint-focaltech-2808-a658;
  # };
}

Enroll fingerprint

Fingerprint enrollment can be done via the CLI or the UI in the Desktop Environment if available.

CLI

$ fprintd-enroll

Gnome

In Gnome, the the fingerprints can be configured through the Settings application.

  1. Open Gnome Settings
  2. Scroll down to System
  3. Enter the Users menu
  4. Enter Fingerprint Login and add fingerprints

Note: If the Fingerprint Login item is not available, the fprintd driver might not be configured correctly.

Login

While services.fprintd.enable = true; enables fingerprint login for the majority of display manager via the corresponding PAM module, it can sometimes disable the ability to login using a password. This is addressed in the GitHub issue 171136. In that issue, a possible workaround is addressed using a custom PAM module for the gnome display manager:

security.pam.services.login.fprintAuth = false;
security.pam.services.gdm-fingerprint = lib.mkIf (config.services.fprintd.enable) {
  text = ''
    auth       required                    pam_shells.so
    auth       requisite                   pam_nologin.so
    auth       requisite                   pam_faillock.so      preauth
    auth       required                    ${pkgs.fprintd}/lib/security/pam_fprintd.so
    auth       optional                    pam_permit.so
    auth       required                    pam_env.so
    auth       [success=ok default=1]      ${pkgs.gdm}/lib/security/pam_gdm.so
    auth       optional                    ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so

    account    include                     login

    password   required                    pam_deny.so

    session    include                     login
    session    optional                    ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start
  '';
};
Retrieved from "https://wiki.nixos.org/w/index.php?title=Fingerprint_scanner&oldid=27862"