How to Use Touch ID to Authenticate Sudo Commands on a Mac

If you have a newer MacBook Pro, you may have gotten used to authenticating with Touch ID. But by default, Touch ID is not set up to authenticate sudo commands. These commands, which allow for a broader range of power in the command line, have to be authenticated by a password. If you’re a developer or power user on macOS, you might use sudo frequently. It can be extremely useful to authenticate sudo commands with Touch ID.

With a little bit of text file editing, we can access and edit the list of acceptable authentication methods for sudo. By adding a line of text, we’ll make Touch ID an acceptable method of authenticating sudo commands.

There is one potential downside to setting up this command. If you authenticate sudo commands with Touch ID, you might not be able to authenticate sudo over secure shell, or SSH. There’s talk about this getting fixed in a forthcoming version of macOS, maybe in an upcoming beta. If you use SSH frequently, make sure you test this functionality before you need it in a critical situation. For now, if you encounter that problem or bug, you’ll need to roll back the change by removing the text you added.

1. Open Terminal (found in “/Applications/Utilities”) and run the following command:

sudo nano /etc/pam.d/sudo

terminal-sudo-touch-id-1

This will open the list of valid methods for authenticating at the sudo prompt. This is where we will add Touch ID as a valid method of authentication.

2. Create a new line underneath the line beginning with “#sudo” by pressing the down arrow key, then the Return key.

terminal-sudo-touch-id-2

3. On the new line you just created, paste the following text:

auth       sufficient     pam_tid.so

terminal-sudo-touch-id-3

You may notice that this text contains some spacing so it lines up cleanly with the existing entries. This isn’t strictly necessary, but it makes things easy to keep track of.

When you add this text, you’ll be adding a new way to authenticate sudo. This adds the Touch ID PAM (pluggable authentication method) to the list of methods that can “unlock” sudo. The other options on the list include account authentication, password authentication, and session authentication.

4. Press Ctrl + O and Enter to save the updated document.

5. Press Ctrl + X to quit the nano text editor.

6. The next time you need sudo, you’ll see the standard system dialog box prompting for the input. If it authenticates directly, you’ll have access to sudo.

terminal-sudo-touch-id-4

If you’d prefer to authenticate via your password instead, click the “Use Password …” button and enter your password in the dialog box.

Once you’ve set up Touch ID to authenticate sudo commands, you’ll be able to authenticate sudo or the root user with just your fingerprint. You’ll also have the option to enter your password manually by clicking the “Use Password …” button. If you decide you want to reverse the change, just remove the line you added and save the settings file again. This will remove Touch ID from your MacBook Pro’s list of acceptable sudo authentication methods.

Leave a Reply

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.