How to allow Touch ID to authenticate for Sudo commands on Mac

Subscribe to my newsletter and never miss my upcoming articles

To enable TouchID on your Mac to authenticate you for sudo access instead of a password you need to do the following steps.

  • Open Sudo configuration file with the following command

sudo vi /etc/pam.d/sudo

Initially file content should look like this

# sudo: auth account password session
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so
  • Paste auth sufficient pam_tid.so on line 2 of the document (underneath the initial comment line)

After pasting contents should be like this

# sudo: auth account password session
auth       sufficient     pam_tid.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so
  • Save the file (Since this file is read-only, you may be required to do force save, Eg vim will require you to use wq! when saving)

  • Now try to use sudo command on terminal and you should be prompted to authenticate with Touch ID as shown below

Screenshot 2019-11-02 at 1.13.51 PM.png

  • If you click 'Cancel' you can just enter your password at the terminal prompt if you click 'Use Password' you can enter your password in the dialog box.

  • If you SSH into your machine it will fall back to just use your password since you can't send your TouchID fingerprints over SSH

  • If you're using iTerm2 (v3.2.8+) you may have seen Touch ID failing to work with sudo in the terminal despite having made the pam_tid.so modification as above, and it works in previous versions. This is down to an advanced feature that seems to be now enabled by default - this needs to be turned off here: iTerm2->Preferences > Advanced > (Goto the Session heading) > Allow sessions to survive logging out and back in.

Screenshot 2019-11-02 at 1.17.56 PM.png

Reference: apple.stackexchange.com/questions/259093/ca..

John James Jacoby's photo

Thanks for linking the source and for calling out the iTerm2 comment specifically. Saved me a bit of time!

Emil Moe's photo

Brilliant. Thanks!

Would it at all be possible to do on a Linux server when on ssh onto a server?

Thamaraiselvam's photo

Thanks for the comment, if you SSH into your machine it will fall back to just use your password since you can't send your TouchID fingerprints over SSH

Emil Moe's photo

Thamaraiselvam Yes I thought so and I realised you already wrote that in the article, but I missed it. Doh! I wish in the future that it will be possible to forward a text string from the touch ID based on which server you are connected to. But that's another story.