Apple - Can Touch ID for the Mac Touch Bar authenticate sudo users and admin privileges?

To allow TouchID on your Mac to authenticate you for sudo access instead of a password you need to do the following.

• Open Terminal

• Switch to the root user with sudo su -

• Edit the /etc/pam.d/sudo file with a command-line editor such as vim or nano

• The contents of this file should look like one of the following examples:

  • # sudo: auth account password session
    auth       required       pam_opendirectory.so
    account    required       pam_permit.so
    password   required       pam_deny.so
    session    required       pam_permit.so
    

  • # sudo: auth account password session
    auth       sufficient     pam_smartcard.so
    auth       required       pam_opendirectory.so
    account    required       pam_permit.so
    password   required       pam_deny.so
    session    required       pam_permit.so
    

• You need to add an additional auth line to the top so it now looks like this:

  # sudo: auth account password session
  auth       sufficient     pam_tid.so
  auth       sufficient     pam_smartcard.so
  auth       required       pam_opendirectory.so
  account    required       pam_permit.so
  password   required       pam_deny.so
  session    required       pam_permit.so
  

• Save the file. (Note: this file is normally read-only so saving your changes may require you to force the save, e.g. vim will require you to use wq! when saving)

• Also note that pam_smartcard.so may not be present on older MacOS versions.

• Exit from the root user or start a new terminal session.

• Try to use sudo, and you should be prompted to authenticate with TouchID as shown below.

  

• If you click 'Cancel,' you can just enter your password at the terminal prompt. If you click 'Use Password' you can enter your password in the dialog box.

• If you SSH into your machine it will fall back to just use your password, since you can't send your TouchID fingerprints over SSH.

Note: See answer by user Pierz below if you're using iTerm, as there's a setting you need to explicitly change to enable this feature.

Note: Recent MacOS updates may remove the entry. If TouchID stops working for sudo then check if the entry was removed and add it back in, following these instructions again.

If you're using iTerm2 (v3.2.8+) you may have seen Touch ID failing to work with sudo in the terminal despite having made the pam_tid.so modification as above, and it working in previous versions. This is down to an advanced feature that seems to be now enabled by default - this needs to be turned off here: iTerm2->Preferences > Advanced > (Goto the Session heading) > Allow sessions to survive logging out and back in.

Alternatively you can use this pam_reattach module to retain the session feature and TouchID sudo at the same time.

1. TouchID does support elevating privileges, but as of now, it only seems to be supported in Apple's own apps. My guess is that 3rd party apps will have to be updated to support it, unfortunately. I still end up typing in my password a lot.

2. See @conorgriffin's answer for instructions to enable TouchID for sudo.