First, check that the device can be seen by your OS:
lsusb
dmesg
if it appears in dmesg but not lsusb, you might need to plug it directly into a usb port rather than in a usb hub. For some reason when I did this, and then switched it back to the usb hub, lsusb could see it again. I don't understand why, but this might work for you also.
Next, register your PIN and fingerprints using your chrome browser settings. For some reason, this has to be done in chrome; it doesn't work in chromium even though chromium has an identical settings area for security keys. The interface for this will feel familiar if you have used an android with a fingerprint reader.
- open google chrome and go to chrome://settings/securityKeys
- click "Create a Pin". It will ask you to touch the device. Touch it, then create a pin. 2(a). note, you might need to plug the device in directly and then plug into the hub before it gets detected properly
- click "Fingerprints" and after entering the pin, you can start registering fingerprints to the device. This data lives on the usb device.
next, you need to set up linux access. First, install the dependencies:
sudo apt install libu2f-udev u2f-host libpam-u2f
Then setup the directories needed by pamu2fcfg:
mkdir -p ~/.config/u2f
now, touch your fingerprint reader pamu2fcfg > ~/.config/u2f/u2f_keys
now, touch it with a different finger pamu2fcfg >> ~/.config/u2f/u2f_keys
To set up sudo access:
sudo vim /etc/pam.d/sudo
Add the following line before @include common-auth:
auth sufficient pam_u2f.so authfile=/home/youruser/.config/u2f/u2f_keys
obviously, replace youruser with your username
You might not want to set up biometric sudo -- changing to biometric unlock in sudo will mean if you try to sudo from remote ssh, you will never be able to authenticate using sudo. If you don't want biometric unlock with sudo, don't edit /etc/pam.d/common-auth or /etc/pam.d/sudo (or revert the previous change by deleting the auth sufficient pam_u2f.so line)
Next do:
sudo vim /etc/pam.d/common-auth
Add the following before the line auth [success=1 default=ignore] pam_unix.so:
auth sufficient pam_u2f.so authfile=/home/youruser/.config/u2f/u2f_keys
It’s also worthwhile to setup polkit; this is needed to get fingerprint auth with bitwarden working:
sudo vim /etc/pam.d/polkit-1
add:
auth sufficient pam_u2f.so authfile=/home/youruser/.config/u2f/u2f_keys
before the @include-common-auth line
You’ll also need to set up u2f:
sudo vim /etc/udev/rules.d/70-u2f.rules
edit the file to include:
#ATKey.pro
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="31bb", ATTRS{idProduct}=="0622", TAG+="uaccess", GROUP="plugdev", MODE="0660"use the output of lsusb to determine the vendor and product ids for your particular device and use that instead if it's different from the above.
To add fingerprint auth to your login:
systemctl status display-manager
sudo cp /etc/pam.d/lightdm /etc/pam.d/lightdm.backup
sudo vim /etc/pam.d/lightdm
Add the following line before @include common-auth:
auth sufficient pam_u2f.so authfile=/home/youruser/.config/u2f/u2f_keys
Now, to get this all connected to bitwarden:
install bitwarden as an appimage, and ensure firefox is not running as a snap. Now, in bitwarden, click “allow browser integration” and “unlock with system authentication”
now connect it with firefox:
mkdir -p ~/.mozilla/native-messaging-hosts
vim ~/.mozilla/native-messaging-hosts/com.8bit.bitwarden.json
and add this:
{
"name": "com.8bit.bitwarden",
"description": "Bitwarden desktop <-> browser bridge",
"path": "/home/youruser/Downloads/Bitwarden-2026.3.1-x86_64.AppImage",
"type": "stdio",
"allowed_extensions": ["{446900e4-71c2-419f-a6a7-df9c091e268b}"]
}Now, in firefox, open bitwarden and click “unlock with biometrics”. Touch your device, and it should unlock! If not, try rebooting and trying again.