Fingerprint Login Setup

Set up fingerprint login on Ubuntu 24.04-based distros, verify scanner support, enable PAM authentication, and fix common fprintd power-state issues.

Intermediate Verified Working Updated 11 min read Tested on Zorin OS 18.1 Pro (Ubuntu 24.04 Noble base) Hardware Lenovo ThinkPad L14 Gen 2 (i5-1135G7, 16GB RAM)

What This Guide Achieves

This guide sets up fingerprint authentication on an Ubuntu 24.04-based desktop or laptop that already has a supported fingerprint scanner.

On the tested system, the fingerprint reader was:

06cb:00bd Synaptics, Inc. Prometheus MIS Touch Fingerprint Reader

That reader is built into a Lenovo ThinkPad L14 Gen 2 and worked through the standard Linux fingerprint stack: libfprint, fprintd, and libpam-fprintd.

Use this guide to:

  • Confirm Linux can see the fingerprint reader.
  • Update firmware before enrollment.
  • Install the fingerprint authentication packages.
  • Enroll a fingerprint from the GUI or terminal.
  • Enable fingerprint authentication through PAM.
  • Fix the common No devices available and missing lock-screen prompt problems.
  • Add an optional autosuspend rule for the tested Synaptics reader if the sensor disappears after sleep.

This is not a ThinkPad-only concept. The setup path is general for Ubuntu 24.04-based distros, but the final autosuspend rule is hardware-specific and should only be used after confirming your scanner ID.

Important Expectations

Fingerprint login on Linux is useful, but it should not replace your password in your mental model.

SituationWhat to Expect
Unlocking after screen lock or sleepFingerprint usually works after setup
Running sudo commandsFingerprint can work after PAM is enabled
First login after cold bootPassword may still be required
Unlocking GNOME KeyringPassword is commonly still required
Unsupported scannerfprintd cannot enroll fingerprints

The key point: keep your password strong and memorable. Fingerprint authentication is convenience, not a complete password replacement.

Tested System

ComponentTested Detail
LaptopLenovo ThinkPad L14 Gen 2
Fingerprint readerSynaptics Prometheus MIS Touch Fingerprint Reader
USB ID06cb:00bd
OSZorin OS 18.1 Pro
BaseUbuntu 24.04 Noble
KernelLinux 6.17.0-20-generic
SessionX11
Firmware after updateSystem firmware R1JET72W / 1.72

The same commands should apply to Ubuntu, Zorin OS, Linux Mint, Pop!_OS, and similar Ubuntu-based distros when the fingerprint reader is supported by libfprint.

Step 1 - Check Whether Linux Sees the Scanner

Start by checking USB devices:

lsusb

Look for a line that mentions Fingerprint, Synaptics, Goodix, Validity, Elan, or a similar scanner vendor.

On the tested ThinkPad, the relevant line was:

Bus 003 Device 003: ID 06cb:00bd Synaptics, Inc. Prometheus MIS Touch Fingerprint Reader

If you see the scanner in lsusb, the kernel can see the hardware. That does not guarantee fprintd can use it, but it is the right first signal.

If you do not see the scanner:

  • Check whether fingerprint hardware is disabled in BIOS/UEFI.
  • Shut down fully, wait 10-15 seconds, then boot again.
  • Update firmware as shown in the next step.
  • Search your exact USB ID on the libfprint supported devices list. That page tracks libfprint development support, so your distro’s packaged version still matters.

Step 2 - Update Firmware Before Enrolling

Firmware matters for fingerprint readers. On the tested ThinkPad, fwupdmgr confirmed the Prometheus and Prometheus IOTA Config devices were already on the latest available firmware after system firmware updates were applied.

Refresh firmware metadata:

sudo fwupdmgr refresh

Check available updates:

sudo fwupdmgr get-updates

Apply available updates:

sudo fwupdmgr update

If firmware is updated, do a full shutdown instead of only restarting:

  1. Save your work.
  2. Shut down the laptop completely.
  3. Wait 10-15 seconds.
  4. Power it back on.

This matters because fingerprint readers often sit on an internal USB bus. A full power cycle resets the device more completely than a normal reboot.

Step 3 - Install the Fingerprint Packages

Install the standard Ubuntu fingerprint packages:

sudo apt update
sudo apt install fprintd libpam-fprintd

What these packages do:

PackagePurpose
fprintdBackground service and command-line tools for fingerprint devices
libpam-fprintdPAM module that lets login, lock screen, and sudo use fingerprint authentication

If apt says the packages are already installed, that is fine. Continue to enrollment.

If apt prints a long packages were automatically installed and are no longer required message, do not panic. That is unrelated to fingerprint setup. Review the package list before running cleanup. For safe cleanup habits, see Package Management Basics.

Step 4 - Enroll a Fingerprint

You can enroll through the graphical settings app or through the terminal.

For most desktop users, try the GUI first.

Option A - GUI Enrollment

On GNOME-based desktops such as Ubuntu, Zorin OS, and many Ubuntu-based distros:

  1. Open Settings.
  2. Go to Users.
  3. Unlock the panel with your password if needed.
  4. Open Fingerprint Login.
  5. Follow the prompts to enroll your finger.

Different Ubuntu-based distros may place this option under slightly different labels. If your settings app does not show Fingerprint Login, use the terminal method.

Option B - Terminal Enrollment

Enroll the default finger:

fprintd-enroll

Enroll a specific finger:

fprintd-enroll -f right-index-finger

Common valid finger names include:

left-thumb
left-index-finger
left-middle-finger
left-ring-finger
left-little-finger
right-thumb
right-index-finger
right-middle-finger
right-ring-finger
right-little-finger

After enrollment, verify the fingerprint:

fprintd-verify

You can list enrolled fingerprints for your user:

fprintd-list "$USER"

Step 5 - Enable Fingerprint Authentication in PAM

Installing libpam-fprintd provides the PAM profile, but you still need to make sure it is enabled.

Run:

sudo pam-auth-update

In the text interface:

  1. Leave the existing default selections enabled.
  2. Make sure Fingerprint authentication is selected.
  3. Do not disable Unix authentication.
  4. Press Tab until <Ok> is selected.
  5. Press Enter.

Recommended selections are:

PAM ProfileRecommended StateWhy
Fingerprint authenticationSelectedEnables fingerprint authentication
Unix authenticationSelectedKeeps normal password login working
GNOME Keyring Daemon - Login keyring managementSelected if already selectedKeeps normal desktop keyring behavior
Pwquality password strength checkingSelected if already selectedKeeps password quality checks
SSS authenticationLeave as-isSome installs enable this by default
Smart card authenticationLeave unchecked unless you use smart cardsNot needed for fingerprint login
Create home directory on loginLeave unchecked unless you know you need itUsually for managed/domain systems

The critical safety rule is simple: enable fingerprint authentication, but do not remove password authentication.

Step 6 - Test It

Test terminal authentication:

sudo -k
sudo true

If fingerprint authentication is active for sudo, you should get a fingerprint prompt or password fallback.

Test the lock screen:

  1. Lock the screen.
  2. Try the fingerprint reader.
  3. If the prompt does not appear, type the password once, then test again after locking from inside the session.

On many GNOME-based systems, the first login after a cold boot may still require the password. That is normal because the encrypted login keyring often needs the actual password.

Fix: Impossible to enroll: No devices available

If enrollment fails like this:

Impossible to enroll: GDBus.Error:net.reactivated.Fprint.Error.NoSuchDevice: No devices available

Work through this order.

Restart fprintd

sudo systemctl restart fprintd

Then try again:

fprintd-enroll

Check whether the scanner is still visible

lsusb

If the scanner is visible in lsusb but fprintd still reports no device, inspect the service:

systemctl status fprintd --no-pager

For fuller logs:

journalctl -u fprintd --no-pager | tail -n 30

If you see messages like Ignoring device due to initialization error, the scanner may be stuck after firmware update, suspend, or USB power cycling.

Do a cold boot

This fixed the tested system.

  1. Shut down completely.
  2. Wait 10-15 seconds.
  3. Power on again.
  4. Run fprintd-enroll again.

Do not skip the full shutdown. A normal restart may not fully reset the internal USB device.

Reset fingerprint data in BIOS/UEFI

Use this only if enrollment still fails after a cold boot, especially if the laptop was previously used with Windows or another OS.

On many ThinkPads:

  1. Reboot.
  2. Press Enter, then F1 at the Lenovo logo to enter BIOS/UEFI.
  3. Go to Security.
  4. Open Fingerprint.
  5. Choose Reset Fingerprint Data or Clear All Fingerprints.
  6. Save and exit.
  7. Boot Linux and enroll again.

Exact BIOS wording differs by model.

Fix: Fingerprint Worked Before, Then Disappeared

If fingerprint login worked for several days and then disappeared from the lock screen, check these in order.

Confirm it is not the first login after boot

After a full reboot, type your password once. Then lock the screen and test fingerprint unlock again.

Restart the service

sudo systemctl restart fprintd

Check PAM selection

sudo pam-auth-update

Make sure Fingerprint authentication is still selected.

Confirm the device is still on USB

lsusb

On the tested machine, the reader changed USB device numbers after sleep:

Bus 003 Device 009: ID 06cb:00bd Synaptics, Inc. Prometheus MIS Touch Fingerprint Reader

The changing Device 009 number is not itself a problem. It only means the USB device re-enumerated. If the fingerprint prompt disappears after that, fprintd may have failed to reinitialize it.

Use the cold boot fix

If lsusb sees the device but fprintd ignores it, shut down fully and power back on.

On the tested ThinkPad, the cold boot restored fingerprint login.

Optional Permanent Fix for Synaptics 06cb:00bd

Only use this section if all of the following are true:

  • Your scanner disappears or stops working after suspend.
  • lsusb confirms the device ID is exactly 06cb:00bd.
  • A full shutdown fixes the problem temporarily.

Create a udev rule:

sudo nano /etc/udev/rules.d/99-fingerprint-autosuspend.rules

Paste this line:

ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="06cb", ATTR{idProduct}=="00bd", ATTR{power/control}="on"

Apply it:

sudo udevadm control --reload-rules
sudo udevadm trigger

What this does:

  • 06cb is the Synaptics vendor ID.
  • 00bd is the tested Prometheus fingerprint reader product ID.
  • ATTR{power/control}="on" tells Linux not to put that USB device into autosuspend mode.

Do not copy this rule for a different fingerprint reader without changing the vendor and product IDs. You can identify your own IDs from the lsusb output. In ID 06cb:00bd, the first part is the vendor ID and the second part is the product ID.

Remove Fingerprint Authentication

If you want to disable fingerprint authentication but keep the packages installed:

sudo pam-auth-update

Uncheck Fingerprint authentication, leave Unix authentication selected, then save with <Ok>.

If you created the optional autosuspend rule and want to remove it:

sudo rm /etc/udev/rules.d/99-fingerprint-autosuspend.rules
sudo udevadm control --reload-rules
sudo udevadm trigger

If you want to remove the packages too:

sudo apt remove fprintd libpam-fprintd

Do not remove PAM-related packages randomly. If authentication is misconfigured, you can lock yourself out. Keep password login enabled.

Quick Decision Guide

SymptomLikely CauseFirst Fix
lsusb does not show fingerprint readerDisabled hardware, firmware state, BIOS settingFirmware update, cold boot, BIOS check
lsusb shows reader but fprintd-enroll says no devicefprintd cannot initialize readerRestart fprintd, then cold boot
Prompt disappeared after sleepUSB autosuspend or service reinit failureRestart fprintd, cold boot, optional udev rule
Password required after rebootNormal keyring/session behaviorType password once
sudo does not ask for fingerprintPAM profile not enabledRun sudo pam-auth-update
GUI has no Fingerprint Login optionUnsupported scanner or missing packagesInstall packages, check lsusb, check libfprint support

Official References

Discussion