Touch ID is widely available on many Mac models. It relieves us from typing passwords in many scenarios when using our Mac. As a developer, we often work with the command line through terminals. One scenario where we need to type our password is when we are trying to run a command as an administrator using sudo. Is it possible to authenticate using Touch ID instead of typing a password? The answer is yes.

In macOS, just like many *NIX operation systems, authentication is done by using the Pluggable authentication module (PAM), which integrates multiple authentication mechanisms to verify the identity of the user. Each of the services (e.g., sudo) has its policy file that specifies the corresponding authentication process. For example, the authentication process of sudo is controlled by /etc/pam.d/sudo.

When we open /etc/pam.d/sudo, we can see the following lines:

# sudo: auth account password session
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

The third column of this file specifies the PAM module (i.e., the shared library) used in each step, which implements the authentication mechanism. Although not enabled by default, the Touch ID authentication is implemented in pam_tid.so. Therefore, to enable Touch ID authentication for sudo we can simply add the following line to the beginning of /etc/pam.d/sudo.

auth sufficient pam_tid.so

Please note that the file is read-only, we need to first make it writable (e.g., 644), and revert its permission to read-only (i.e., 444) after modifying it. After saving the file, we need to relaunch the terminal to make the changes take effect.

More information on the PAM policy file can be obtained by running man pam.conf in the terminal.