T460s fingerprint reader in Linux

Lenovo ThinkPad T460s laptop has a built-in fingerprint reader, but unfortunately until recently there was no way to make it work. You know the story: the manufacturer (Validity, later bought by Synaptic) refuses to release the documentation and says they may release proprietary Linux driver someday. Thankfully, Nikita Mikhailov started reverse engineering these sensors and that work has been adapted by Marco Trevisan to create a functional fprint driver for 2016 ThinkPads (including T460s).

The procedure to make it work is not very straightforward, so I’ve decided to document it here for posterity.

First, let’s make sure we have the proper model of the reader:

$ lsusb | grep Fingerprint

Bus 001 Device 006: ID 138a:0090 Validity Sensors, Inc. VFS7500 Touch Fingerprint Sensor

Windows driver, eww

The worst part of the procedure is to activate the device. Thus far this can only be done in Windows. If you have already used the reader before, chances are you’re good to go. If not, you’ll need a Windows Virtualbox instance with USB pass-through enabled and Extension pack installed. Then go to virtual machine settings | USB and add “Validity Sensors, Inc.” device to the list.

I’ve ran into trouble when trying to install official fingerprint reader drivers from Lenovo website. The installer would just quit with “Lenovo machines: Lenovo Touch Fingerprint Software cannot be installed on this machine. Setup will terminate now.” message. So I’ve downloaded a huge SCCM driver package, installed it and pointed Windows to look for drivers there. I’ve extracted only the fingerprint driver and put it here, give it a try if you use Windows 7 64-bit and don’t want to download the whole package. After a reboot, the drivers were successfully installed and it was sufficient to proceed.

Linux driver, yay

The rest is easy: just follow the Readme to install the Linux driver and make sure it works by enrolling a finger and verifying it:

$ fprintd-enroll -f "right-index-finger" "$USER"
$ fprintd-verify

Usage

I’m using home partition encryption, so I have to type in a password on every boot to decrypt the partition. If you don’t (which I recommend against by the way, especially on a laptop), adding this line on top of /etc/pam.d/sddm should enable fingerprint authentication (if you use SDDM, of course):

What I do use fingerprint reader for is to unlock the screen. To enable this in KDE Plasma, add the same line to the top of /etc/pam.d/kde.

Now if you lock your screen (e. g. with loginctl lock-session command) you can press Return and touch the fingerprint sensor to unlock. The ugly part is that if you want to use the password, you’ll need the fingerprint scan to fail 3 times.

Finally, I’d like to thank the devs who made this terrific job and keep improving this and other drivers. Please consider supporting them if you like their work and please keep nagging the hardware manufacturers to release (preferably open) Linux drivers and documentation for their products. :)

Your comment: