The current finger print seems like only support login,
For future version, can we also include the fingerprint for sudo request?
Ubuntu 25.10
Also first time post, let me know if feedback expected to be put into other category
It would also be great to have fingerprint login for LUKS (for full-disk encryption).
1 Like
This would be a great future. Fingerprint scanning is useful for login, but my sudo password is often quite long (for security reasons). Its a nice future, but its very limited in what it can do right now, but the backend is there (fprintd) and supported for sudo. Though it seems like LUKS decryption through biometrics would require external hardware to setup properly, which is out of scope. You can check out https://unix.stackexchange.com/questions/343501/how-do-you-use-a-fingerprint-to-boot-luks-encrypted-arch-linux.
This is a great future request, and I hope it gets implemented. For now, looks like you would have to setup sudo auth through the terminal.
Just a comment on security:
A fingerprint is not a password, it’s a user ID. A wrongdoer can chop off your finger.
A password ideally only exists in your brain.
I do think the user should have the choice as to how secure they want their devices to be. If they are forced to unlock their laptop at gunpoint, I would say they have bigger issues at that particular moment then the ease-of-use that fingerprints allow. Its fair to assume biometrics are (and should be) reasonably secure for most use-cases (such as stolen or lost devices). If you are in a position where somebody is going as far as to cut off your finger for it (for example, a security specialist for a major banking organization working remotely) you would be going out of your way to maintain your organizations (or your own) security standards.
I’m with you. But the point is that you can change a password. You can’t change your fingerprint, meaning it’s only useful as user ID, not as security code aka PW.
If your fingerprint is captured on some arbitrary device, it can be used to open all your other devices if used as PW. In all future.
This discussion about chopping off fingers, etc., is out of scope. Modern smartphones use biometrics, as do physical security keys such as Titan or Yubikey. There’s no reason why this shouldn’t be offered on laptops and desktops.
That’s not to say that we shouldn’t have a password; of course we should. Biometrics should be offered as an extra, just as TOTP is offered as an extra for 2FA.
The problematic thing here is due to the limitation that most fingerprint devices have at the moment, since they do not allow to safely save a secret that cannot be used for log-in and credentials unlock.
This may be handled by the operating system, but it’s we’re lacking of a secret storage and not something that we can do anyways without proper secure-boot and TPM-FDE
You can enable it if you want, it’s easy via sudo pam-auth-update, but not something we will enable by default as there are security concerns that are mostly due to the nature of the whole infrastructure
I do not think it has to be enabled by default, but should be an option available for those who want to explicitly enable it in the User Settings. Just the same way how the fingerprint login setup isn’t accessible through the installer, its already an optional feature.
I’m with you on that.
Cheers.
Some physical FIDO2 security key devices do have such a thing, e.g. certain models of Yubikey have fingerprint readers. If that level of security is important to you, it might be worth investing in them.
You are right, fingerprint is not a password, but it’s not a user ID as well. It is more a form of authentication. User ID is more of an identification, password is also a form of authentication too, so both serve the same purpose, just that one is something you know and can be changed or updated(password) while the other is something that you are, which can’t be changed (fingerprint) and I feel it’s immutable nature makes it good for the future. If you are ever in a situation where your finger can be cut off, then your password won’t be of much help as well. Unless you are saying in the aspect where an accident happens and one loses finger. With both logics being right at the same time, I think having both features should be the best.
I can’t imagine anything that’s more of an identification than a fingerprint (except DNA). Fingerprints send people to jail or death row.
Authentification is some thing else.