The fingerprint is one of the most common entries for authorization. The use of biometric data for authorization confirms the physical existence of individuals by using an element that is relatively inseparable from them.
In addition, biometric data provides security to the person by using data specific to almost every individual. Leaving aside the legal usage limits of biometric data, these features highlight the use of fingerprints over other second-factor tools.
Here’s how you can set up your fingerprint scanner on Linux using PAM (Pluggable Authentication Modules).
Things to Consider About Fingerprints
The fingerprint method is not the safest choice among your options. There are some reasons for this:
- You cannot change your fingerprint. As a result, the importance of ensuring the security of this data increases.
- People leave their fingerprints in many places, so it is easy to obtain.
- It is possible to cheat fingerprint scanning systems. Although advanced equipment makes it difficult to do this, it is not entirely impossible.
- Fingerprint scans can fail to identify the person. In particular, physical changes such as injuries can make scanning impossible.
For the above reasons, it is useful to use fingerprints as a third factor or only weak evidence to prove the physical existence of people.
Adding fingerprint authentication to the only password-protected system will provide some more security. It makes sense to use fingerprints, especially on devices with a built-in fingerprint scanner as the cost of doing this is almost zero.
Setting Up the Requirements
Of course, you need a fingerprint scanner to add the fingerprint feature to your device with the GNU/Linux operating system. Most devices these days now have fingerprint scanners.
If you have a fingerprint scanner, the next step is to install the fprintd package on your system.
On Debian-based (Ubuntu, Mint, etc.) systems:
sudo apt-get install fprintd
Arch Linux users can install fprintd using Pacman:
sudo pacman -S fprintd
On Red Hat-based (Fedora, CentOS, etc.) systems:
sudo yum install fprintd
After installation, you will have installed fprintd and the internal PAM module. Enter the following command to start the fingerprint scan:
fprintd-enroll -f [finger_name]
You need to tell fprintd which finger you are scanning with. This way, you can know which finger it’s asking you during scanning. Valid finger names are:
| Command | Finger Name |
| left-thumb | Left thumb |
| left-index-finger | Left index finger |
| left-middle-finger | Left middle finger |
| left-ring-finger | Left ring finger |
| left-little-finger | Left little finger |
| right-thumb | Right thumb |
| right-index-finger | Right index finger |
| right-middle-finger | Right middle finger |
| right-ring-finger | Right ring finger |
| right-little-finger | Right little finger |
Accordingly, the example command to introduce your left little finger would be as follows:
fprintd-enroll -f left-little-finger
You will then need to scan your finger four times and if successful, you will have added the fingerprint.
Using device /net/reactivated/Fprint/Device/0
Enrolling left-little-finger finger.
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-completed
To test the success of the process, you can run the command below and read your finger:
fprintd-verify -f left-little-finger
Your registered fingerprints will be listed and you will receive a confirmation upon scanning the finger you specified.
Using device /net/reactivated/Fprint/Device/0
Listing enrolled fingers:
-
Verify result: verify-match (done)
PAM Settings You Need to Do
Regarding data integrity and protection of personal rights, PAM is gaining more and more importance in the cybersecurity world. When malicious people attack a device, they take advantage of attacks such as privilege escalation to exploit the device. Therefore, PAM is a precaution against such attacks.
PAM is the software responsible for user authorization on GNU/Linux systems. You can adjust the behavior of PAM with the configuration files located under the /etc/pam.d directory. If you wish, you can customize the PAM settings according to your needs.
To add fingerprint authentication to all PAM-controlled logins of your device, open the following file with a text editor of your choice:
sudo vim /etc/pam.d/common-auth
You will see text similar to the following:
Please note that if there is a problem at this stage and you enable your screen lock, you may not be able to log in to your device again.
Add the following line at the end of the file:
auth required pam_fprintd.so
If you use Vim, type :wq after pressing Escape. Hit Enter after typing, save the file, and exit.
After this point, the system will ask you for your fingerprint for all authorization processes on your device.
To make sure everything is fine and to fix it effortlessly if there is a problem, open another terminal from the sudo authorized terminal you kept open. Following the advice above, enter:
sudo ls ~
Your system should ask you for a password and fingerprint for sudo authorization. If this did not happen or the files under the home directory were not listed successfully, go back and check if you made a mistake in the steps.
If you encounter a problem, you can prevent your device from locking by undoing and saving the changes you made in the /etc/pam.d/common-auth file from the sudo authorized terminal.
If you have passed the test successfully, you can now start using your device a little more securely with your fingerprint.
Considerations for Non-Admin Users
If there is more than one user on the device and only one user uses a fingerprint, you can change the /etc/pam.d/common-auth configuration to the following so that only users with fingerprint setup need the second factor. However, this is a step that you should consider carefully, as it will exclude the root user from 2FA:
auth required pam_fprintd.so nullok
If you want to log in as the root user with fingerprint, you need to repeat the above steps with the root user.
Protecting Your Linux Device With Fingerprint
Fingerprints are not an easy hurdle for malicious users to gain access to your device. Therefore, if you have taken all the precautions to protect your device, you can also take advantage of the security power of fingerprints. However, you should not forget that you must do the fingerprint configuration step by step correctly.
The fingerprint scanner you are using should not let you down. That’s why you need to trust your hardware. In addition, there are much easier methods you can take for your device security. However, fingerprints should not be neglected.