Absolute Cinema: Configuring Zorin to require a password on startup w/fingerprint enabled

Linux_Kitty · August 20, 2025, 8:25am

Alllllrighty. So I've noticed a lot of users asking about removing keyring passwords and such after having fingerprint login enabled. This isn't that : D

I wanted to see if it's possible to tweak something so that a fingerprint login isn't possible on startup. To clarify, I have fingerprint login turned on and it works great but I don't want the ability to login with my fingerprint on OS startup. I'd like to have the ability to login with my fingerprint only after first logging in with my password. Hope that made sense XD

Forpli · August 20, 2025, 8:45am

So you want to log in with your password first and then with your fingerprint? Do you want two-factor authentication?

Linux_Kitty · August 20, 2025, 8:46am

Nope. Just for fingerprint login to be enabled only after a password login was successful.

Forpli · August 20, 2025, 8:50am

But then you are already logged in. Sorry, I don't understand your aim.
Should the fingerprint be for the authentication of a specific process and not for the login?

zenzen · August 20, 2025, 9:02am

I think the goal is to mimic how Android works: when you boot your phone the first time, the fingerprint sensor is disabled. You have to enter your password/pattern to unlock it, and then the fingerprint will work.
However, I the difference is that on Android you don't really log out of your account. You simple lock the screen.

Not sure if there's a built-in configuration option for that, however. The easiest way I can think of is simply disabling the fingerprint service entirely, so that it doesn't run at all, and when you log in you can start it yourself manually.
This is a bit inconvenient but that's sort of the goal of security, to put stuff in the way that's only easy for those with access. I assume this must be the reason you want to disable this?

You can do this through the terminal by running the command:

Disable the service from running:
```
sudo systemctl disable --now fprintd
```
And the command to enable it afterwards for the current session only:
```
sudo systemctl start fprintd
```

Don't confuse enable/disable with start/stop; the former set of commands configure whether the service starts automatically. The latter only apply it for the current session.

Linux_Kitty · August 20, 2025, 9:22am

Gotta love drunk what if thoughts mixed with Linux.

Ponce-De-Leon · August 20, 2025, 9:52am

You could try it with the dconf editor. You can install it with sudo apt install dconf-editor and then open it and go to org>gnome>login-screen and there is a toggle to active Fingerprint for login:

zenzen · August 20, 2025, 11:47am

The only downside with that approach is that you'd have to disable it again every time you turn off your computer (otherwise it stays on).

Another option is to run a command automatically when you log in. This can be easily done, but activating background services requires elevated permissions so you'd be prompted for a password again as soon as you log in.

To achieve this, you need to create a new file inside the directory ~/.config/autostart. The name does not matter, as long as it ends with a .desktop extension.
Note that files and folders starting with a dot (.) are hidden by default; press Ctrl+H in the file manager to toggle this view.

The contents of this file should be as follows:

[Desktop Entry]
Type=Application
Exec=/bin/bash -c "sudo /usr/bin/systemctl start fprintd"
Terminal=false
Name=Fingerprint Service
Comment=Starts the fingerprint service automatically after logging in

This will create a new entry available to enable inside "Startup Applications":

You can take this a little further and skip the prompt for your password after you've logged in for this command only, by running the following command in a terminal:

echo "$USER ALL=(ALL) NOPASSWD: /usr/bin/systemctl start fprintd, /usr/bin/systemctl stop fprintd" | sudo tee -a /etc/sudoers.d/fingerprint

And restart the computer for changes to take effect. What this command does is creates a new configuration that exempts your user from entering a password when running the commands "/usr/bin/systemctl start fprintd" and "/usr/bin/systemctl stop fprintd".

I should warn you, and others reading this... you might get tempted into using this little trick to add exceptions everywhere to run sudo commands without entering your password. This is a dangerous game. Do not do this. Use it with care, and at your own risk.

With this, once you've logged in the fingerprint service should be started automatically. I hope that this is enough, as I don't have a computer to test this on, so good luck!

Linux_Kitty · August 20, 2025, 12:10pm

Yeah no lmao. Not messing with privileges, was just curious. Thanks though.