On macOS Sonoma and newer, sudo still defaults to password authentication. If your Mac has Touch ID, you can enable fingerprint approval with a local PAM config that persists across updates.

Enable Touch ID for sudo

  1. Open /etc/pam.d and confirm the template file exists.

    $ cd /etc/pam.d
$ ls -l sudo*
.r--r--r-- 283 root 16 Sep 15:28 sudo
.r--r--r-- 179 root 16 Sep 15:28 sudo_local.template

  2. Create sudo_local from the template.

    sudo cp sudo_local.template sudo_local

  3. Edit sudo_local.

    sudo -e sudo_local

  4. Uncomment the Touch ID line so the file includes:

    /etc/pam.d/sudo_local
    # sudo_local: local config file which survives system update and is included for sudo
# uncomment following line to enable Touch ID for sudo
auth       sufficient     pam_tid.so

Verify

Open a new terminal session and run any sudo command. You should get a Touch ID prompt instead of password-only auth.

Troubleshooting

  • Re-check /etc/pam.d/sudo_local and confirm pam_tid.so is uncommented.
  • If you want to revert, comment the pam_tid.so line again.

Further reading: Allow Touch ID for sudo (Apple Support)