Fingerpint Reader
Linux can utilize fringerprint readers through fprintd. It allows the Pluggable Authentication Modules (PAM) stack to check for registered biometric data before falling back to standard password entry.
Installation
Install the standard fingerprint imaging daemon from the official repositories:
sudo pacman -S fprintd
Enrollment
GNOME and KDE both offer fingerprint enrollment via their settings apps. Enrolling fingerprints this way also allows you to unlock your desktop session.
If you'd rather enroll via the terminal, use fprintd-enroll:
fprintd-enroll
Verify that the system successfully stored your fingerprint and reads the biometric data:
fprintd-verify
Configuring PAM
In order to use your fingerprint to authenticate sudo prompts in the terminal and on the desktop through Polkit, some additional setup is required.
sudo
WARNING: Always keep a separate terminal window open with an active root shell (sudo -s) while modifying PAM configurations. There's no sanity checks in place and incorrect configurations can lock you out of your system.
Open the sudo configuration file:
sudo nano /etc/pam.d/sudo
Insert the pam_fprintd.so module as sufficient directly below the file header. This instructs PAM to succeed immediately if a fingerprint matches, or fail cleanly to the password prompt if it does not.
#%PAM-1.0
auth sufficient pam_fprintd.so
auth include system-auth
account include system-auth
session include system-auth
Verify everything works as expected by opening a brand new terminal window and open an interactive root shell with sudo -i. The system should prompt you to touch the fingerprint reader with a finger you enrolled.
Polkit
To allow graphical authentication banners in GNOME and KDE to accept biometric inputs, modify the Polkit configuration:
sudo nano /etc/pam.d/polkit-1
Replicate the structure used for sudo:
#%PAM-1.0
auth sufficient pam_fprintd.so
auth include system-auth
account include system-auth
password include system-auth
session include system-auth