Persistent Touch ID for sudo on macOS

Did you know you can activate Touch ID (or some other biometric) support to authenticate sudo commands on your command line, in a way that survives operating system updates?

All you need to do is copy & modify a single file:

cd /etc/pam.d
sudo cp sudo_local.template sudo_local
sudo nano sudo_local

And it should look like this when you are done:

# sudo_local: local config file which survives system update and is included for sudo
# uncomment following line to enable Touch ID for sudo
auth       sufficient

The way I see it, manually typing passwords isn’t just annoying; it’s an error-prone attack vector for key-logging and yet-another-barrier to productivity. To make software more secure, the best security stuff needs to be the most convenient option by default; this is one-of-many small steps towards that.


3 responses to “Persistent Touch ID for sudo on macOS”

  1. You need to `cd /etc/pam.d` before the `cp`. 🙂

    1. Oops! Of course! Fixed, thank you.

  2. Great tip! I wonder why they don’t make this more obvious or even on by default.