Fingerprint Authentication

Fingerprint Authentication on Ubuntu Budgie 23.04

Among the recent changes to Ubuntu Budgie for the 23.04 release is the added ability to allow fingerprint authentication. Previously, Gnome Control Center depended on gdm3 to allow you to set up fingerprint login, which is not used by Ubuntu Budgie. However, with Budgie Control Center, we are able to remove this requirement. The result is you can enjoy the same GUI setup that the default Ubuntu experience provides. It is not enabled out of the box, but it is fairly straightforward to set up.

Note: This method is also available on 22.04 LTS if you are using the backports-budgie ppa as mentioned here:

Issues

First off, however, let’s address a couple of issues.

  • Obviously, you need a supported fingerprint scanner. Compatibility can be a bit hit-or-miss. All my ThinkPads have worked well. I have another laptop that, despite my best efforts, just will not work. A list of supported devices can be found at lifprint — Supported Devices. If you are having issues with your scanner being detected, the wider Ubuntu community is the best resource for help:

  • Gnome Keyring requires your password to unlock it. Therefore, when logging in with a fingerprint, it is not possible for the keyring to be automatically unlocked. You will notice if you login with a fingerprint, the first time a saved password is required, gnome-keyring will prompt you for a password. It is possible to delete the password from gnome-keyring as a workaround. I personally am not a fan of this method as it will leave the saved passwords unencrypted and potentially visible to anyone with access to your device, so this is a convenience vs. security trade-off.

  • While LightDM (our login screen) DOES work with fingerprint login, it was not designed with it in mind. Therefore, the password box may have messages that scroll below the visible area. This does not affect functionality, but if the reader fails to recognize your fingerprint on the first try, further messages may be hard to see, or may not update immediately.

Getting Started

When you open the Users panel of Budgie Control Center, you will notice there is no option to enable fingerprint authentication.

We must install a couple of packages first.
This can be done from the terminal with:

sudo apt update && sudo apt install fprintd libpam-fprintd

Once this module is installed, you should log out and in. You can now open Budgie Control Center, and navigate to the Users page. You will now see an option for Fingerprint Login. If you do not see this option, your fingerprint scanner may not have been detected.

You can add your fingerprints here now. Fingerprint authorizations prompts will not show up unless you have registered at least one fingerprint.

Enabling Fingerprint Authorization

After adding fingerprints, we need to enable fingerprint authorization. There are different ways this can be done, depending on how you prefer to use fingerprint authorization.

Global authorization:

This is the easiest method to enable. When this option is used, fingerprint authorization will now be the primary authorization most of the time (login, lock screen, sudo, etc…) From the terminal, you can run:

sudo pam-auth-update --enable fprintd

Alternatively, you can run:

sudo pam-auth-update

When you run this, you will be presented with screen where you can toggle fingerprint authorization on and off. Just use care here not to change other settings.

You can also use this to disable fingerprint authentication.

Configure each authorization separately:

Insead of using pam-auth-update, you can change each authorization type separately.
Do you want to use a password for sudo access, but allow fingerprint authorization at the login and lock screens? Or (my preferred method) use a password for login and sudo, but only allow unlocking the screensaver with a fingerprint? We just need to edit some configuration files. For this, you would not want to have enabled fingerprint authentication with pam-auth-update, as this will conflict with the individual changes.

Navigate to the `/etc/pam.d/’ directory. In this directory are a few files you can modify. First and foremost, you should back up any file you choose to modify, just in case. Each has a different authorization it controls. The main ones:

  • lightdm (our login screen)
  • gnome-screensaver (our lock screen)
  • sudo (for using sudo in the terminal)
  • polkit-1 (the typical GUI password boxes you see when making system changes)

Simply choose the method you want to change and edit that file. In each file, you should see a line that says:

@include common-auth

The method is the same for each file. Simply add the following line directly before that line:

auth sufficient pam_fprintd.so max-tries=3 timeout=30

5

“max-tries” is the number of attempts before it asks for a password instead. “timeout” is how many seconds before it stops waiting for a fingerprint and asks for a password instead. You can customize these values to whatever works best for you, and you can set up each authorization type to use different values.

Disabling Fingerprint Authorization

If you decide you no longer want to use fingerprint authorization, the simplest way to disable it is to delete any stored fingerprints from the Users panel of Budgie Control Center. If there are no fingerprints saved, you will not be prompted for fingerprint authorizations anymore, even if it is still enabled.

To completely disable, you can run

sudo pam-auth-update

and make sure the Fingerprint Authorization is unticked.

Also, if you modified any files in /etc/pam.d/, just remove the
auth sufficient pam_fprintd.so
line from them, or restore the backup you made. You did make that backup, right?

1 Like