Got a Macbook or desktop Apple computer equipped with the TouchID sensor and wondering how you could stop having to input your admin password for every sudo prompt ? look no further!

The pam_tid plugin

Shipped with MacOS is the pam_tid.so PAM plugin allowing you to invoke the TouchID authentication method in any PAM flow.

Since authenticating the access to the sudo executable depends on PAM we simply need to add pam_tid.so to the plugin list :

sudo nano /etc/pam.d/sudo

# sudo: auth account password session
auth       sufficient     pam_tid.so
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

Press ctrl + X, then Y and finally Enter to write the file. MacOS may ask you for permission to make sure you really want to edit this file.

You can now open a new terminal and execute sudo, you’ll see the familiar TouchID prompt and can now authenticate with your fingerprint.

On top of that if you have an Apple Watch and enabled the Unlock your Mac feature you can also double click the crown to approve the authentication.

Difference between required and sufficient

You may have noticed some plugins are registered as required while others are declared as sufficient (such as the TouchID one). It simply means a sufficient plugin is allowed to fail and PAM will move to the next plugin in the list.

If you close the TouchID prompt when trying to use sudo you will fallback to the regular password prompt. This also means you can still authenticate when the lid of your laptop is closed.

Note on MacOS updates

The /etc/pam.d/sudo being an important system file, It is likely to be overwritten during system updates. To bring back TouchID simply repeat the procedure.

If you are using a newer Apple Silicon based computer and rely on DisplayLink to drive more screens than what is natively supported by the hardware you may run into issues causing the TouchID prompt not to appear.

A workaround to fix it is to set the following configuration key :

defaults write com.apple.security.authorization ignoreArd -bool TRUE