Setup fingerprint login on Arch Linux with LightDM

1. Check Your Fingerprint Reader

Make sure your fingerprint reader is supported. You can check your device with:

lsusb

Then look up your reader on list of supported devices or the list of unsupported devices.
Note: The list of supported devices is not updated frequently and may be incomplete. It is recommended to test your device before making any conclusions.

2. Install the Needed Packages

Open a terminal and install fprintd (it will also install libfprint):

sudo pacman -S fprintd

3. Enroll Your Fingerprint

Run this command in your terminal (replace yourusername if needed):

fprintd-enroll

Follow the on-screen instructions to swipe your finger until it says enrollment is complete.

4. Configure PAM for LightDM

Edit the LightDM PAM file to allow fingerprint login:

sudo nano /etc/pam.d/lightdm

At the top of the file, add this line (before any other “auth” lines):

auth    sufficient   pam_fprintd.so

Then save and close the file.

5. Restart LightDM

Restart LightDM to apply the changes:

sudo systemctl restart lightdm

---

Restrict Fingerprint Enrollment (Optional)

By default, any user can enroll new fingerprints without authentication. You can change this behavior using polkit rules.

1. Locate the Polkit Configuration Files

Polkit configuration files are stored in two locations:

/etc/polkit-1/rules.d/  
/usr/share/polkit-1/rules.d/  

Note: Do not modify files in /usr/share/polkit-1/rules.d/ directly, as they may be overwritten during updates. Instead, copy them to /etc/polkit-1/rules.d/ and edit them there.

2. Restrict Enrollment to Root Only

To allow only the root user to enroll fingerprints, create a new rule file:

sudo nano /etc/polkit-1/rules.d/50-net.reactivated.fprint.device.enroll.rules

Add the following content:

polkit.addRule(function (action, subject) {
  if (action.id == "net.reactivated.fprint.device.enroll") {
    return subject.user == "root" ? polkit.Result.YES : polkit.Result.NO;
  }
});

Save the file and exit.

3. Apply Changes

No reboot is required, but you may need to restart the polkit service for changes to take effect:

sudo systemctl restart polkit

Now, only the root user can enroll new fingerprints.

This simple setup should allow you to log in using your fingerprint. Enjoy your new login method!