this post was submitted on 08 Jun 2025
121 points (96.9% liked)

Linux

10975 readers
252 users here now

Welcome to c/linux!

Welcome to our thriving Linux community! Whether you're a seasoned Linux enthusiast or just starting your journey, we're excited to have you here. Explore, learn, and collaborate with like-minded individuals who share a passion for open-source software and the endless possibilities it offers. Together, let's dive into the world of Linux and embrace the power of freedom, customization, and innovation. Enjoy your stay and feel free to join the vibrant discussions that await you!

Rules:

  1. Stay on topic: Posts and discussions should be related to Linux, open source software, and related technologies.

  2. Be respectful: Treat fellow community members with respect and courtesy.

  3. Quality over quantity: Share informative and thought-provoking content.

  4. No spam or self-promotion: Avoid excessive self-promotion or spamming.

  5. No NSFW adult content

  6. Follow general lemmy guidelines.

founded 2 years ago
MODERATORS
MigratingtoLemmy@lemmy.world
121
Linux Mint 22.2 Adds Native Fingerprint Login Support (www.omgubuntu.co.uk)
submitted 1 day ago by tonytins@pawb.social to c/linux@lemmy.world
6 comments fedilink hide all child comments
all 7 comments
sorted by: hot top controversial new old
[–] Flatfire@lemmy.ca 24 points 1 day ago* (last edited 23 hours ago) (1 children)

Fingerprint sensors have been an interesting hurdle for Linux distros. Not one I necessarily would have anticipated either. The biggest question seems to come down to their security as well, given that there have been exposed flaws in the design of biometric hardware that tries to generalize its compatibility.

Microsoft has defined SDCP as a strong standard for TPM/Windows, but there isn't an equivalent for Linux. Match on chip sensors have made things a bit easier, but there isn't a standard way to communicate the validated authentication to the OS, usually relying on TLS.

[–] Jumuta@sh.itjust.works 11 points 23 hours ago (1 children)

it's always amazed me that fingerprint sensors aren't all match on chip, for the longest time I assumed that the fingerprint reader held a key for unlocking the device that is only returned with the correct fingerprint. How else do you implement them securely?

[–] 3abas@lemm.ee 5 points 19 hours ago

It is. It's just... how do you know you're actually talking to the fingerprint sensor and not a fake one that's been plugged in?

Think of it like a locked mailbox: the fingerprint sensor might securely match the fingerprint and only unlock if it's correct—but if anyone can swap out the mailbox with their own lookalike, and the OS just blindly accepts the "unlocked" signal, the whole security model breaks. Without an attestation mechanism (like SDCP on Windows or secure enclave-backed verification), the OS can't prove it's getting input from trusted hardware. Match-on-chip helps, but it's not enough unless the result is cryptographically signed by the sensor and validated by the OS through a trusted, authenticated channel.

That's the gap in Linux: there's no widely adopted standard for verifying that trust path end-to-end.

[–] duckiegobrrr@kbin.earth 4 points 23 hours ago (1 children)

This only really works for people who have hardware whose fingerprint readers are supported by upstream fprintd; would be interesting if they (or another distro; haven't seen anybody implement this yet) add a "just works" option for installing and setting up e.g. libfprint-tod-vfs0090 or python-validity (which I use on two of my machines actually), similar to how some distros (Mint included I believe, but haven't dealt with it in a while) give you an option for installing Nvidia proprietary drivers (or just make it work out of the box).

However these drivers are extremely sketch at times so... I guess there's some good out of it not being preconfigured for people (because you have to look into it yourself and realize just how terrifying they are, both security and stability wise, python-validity especially)...

(though now I'm on NixOS where I have it pretty much "just work" through not that much effort, at least not as much as on Arch, and definitely not as much as on Mint which was painful because PPA fuckery)

[–] Pika@sh.itjust.works 2 points 21 hours ago (1 children)

ah, there is it. My reader isn't supported by fprintd so I guess I wouldn't benefit from this change. I'm glad I saw this before I decided to give mint another go

[–] duckiegobrrr@kbin.earth 1 points 11 minutes ago

don't worry though, it's meh-ish on all distros, and nobody automatically sets it up for you (as easy as I made it out to be on NixOS, it's not, and it was only "easy" because I'd already dealt with the driver before... in fact I had to carry over my old systemd suspend/hibernate restart script for it because it doesn't really cooperate with waking up from sleep)...

...unless your reader just isn't supported at all, in which case yeah nope