Fingerprint authentication is not currently delivered in any mainstream hardware enablement projects. At initial writing this page outlines the possibilities for enabling it.
The most suitable fingerprint auth software packages are around the fprint project - the only open source actively developed code with fairly wide hardware support. However, even development of fprint is not very active.
There is also the fingerprint-GUI project, which includes closed source drivers to enable a few more devices including all UPEK devices. It is less well integrated with gnome and something of a hobby project.
- the fprint packages in natty are very out of date and do not work. The device isn't recognized
oneiric has more up to date libraries but still only offers the deprecated libpam-fprint rather than libpam-fprintd.
- ppa:fingerprint/fprint has appropriate packages for a trouble-free installation. Obviously great care would be needed before integrating this code into a commercial install. The Oneiric packages are the same as Natty in this PPA - at time of writing oneiric isn't stable enough to test.
- The code is of unknown quality and would warrant a security audit before issuing it in a customer release.
With packages libfprint0 libpam-fprintd gksu-polkit, fingerprint auth is quite straightforward:
- In "About Me" select "Enable Fingerprint Login"
- Follow the prompt to train the system with your fingerprint with 5 swipes (seems to take 6; a little unpolished)
That's it. Login, screen unlock, sudo authentication will now prompt for the fingerprint reader, but gksu operation will silently wait for a finger swipe.
PAM is single threaded - hard to drop down to password auth
PAM can only perform one authentication method at a time. There is no direct way at the login or screen lock screen etc. to bypass fingerprint auth and use a password. The easiest way is to swipe the wrong finger repeatedly. Allegedly "Fedora 12 has enhanced the GDM login screen with a button that switches between password and fingerprint authentication mode"
Passwords are required for keyrings, ecryptfs to work
You can't unlock a keyring or an encrypted filesystem without a password. Selectively disabling fingerprint auth for first login would be desirable and should be fairly easy, but isn't supported out of the box in the packages.
gksu silently expects a finger swipe
gksu needs to be replaced with gksu-polkit to behave properly. At present it does not offer an indication that a swype is expected, except for at least some hardware, the light on the reader illuminates.
fprint Supported Hardware
045e:00bb 05ba:0007 08ff:2580 045e:00bc 05ba:0008 08ff:5501 045e:00bd 05ba:000a 1162:0300 045e:00ca 061a:0110 138a:0001 0483:2015 08ff:1600 147e:1000 0483:2016 08ff:2500 147e:2016
Brings support for more hardware, and a few additional features, but is much less well integrated for setup.
The framework's code is GPL v3, but to support additional hardware it makes use of UPEK's closed source / binary blob libraries (BSAPI). The license agreement with that library is attached
in addition to the fprint supported devices:
0483:2015 147e:1002 147e:3000 0483:2016 147e:1003 147e:3001 147e:1000 147e:2015 147e:5002 147e:1001 147e:2016 147e:5003
Data protection laws in the EU do not seem to apply here. The laws surround collecting and transmitting data by officials without consent. The data is collected with consent and not shared outside the system. Could be an issue if the home directory is on another system.