Apple devices such as MacBooks and some Apple Magic Keyboards have a fingerprint Touch ID scanner that can be used to authenticate a user with a touch of a finger. This functionality isn’t available by default when using sudo to run commands in the terminal — you have to enter your password every time you run commands with elevated privileges.
We can enable Touch ID for sudo with a simple config change. This will allow you to use Touch ID to authenticate with sudo without entering your password, including authentication via Apple Watch.
Warning: DisplayLink — Known Issue
As of the writing of this article, the DisplayLink driver will prevent the use of Touch ID for sudo when the DisplayLink device is connected. It will work when the DisplayLink device is disconnected. This is a known issue.
Enable Touch ID for sudo
Open the PAM sudo configuration file with elevated privileges. In this example we’ll use nano:
sudo nano /etc/pam.d/sudoAdd the following line at the top of the file, before any existing auth entries:
auth sufficient pam_tid.soYour config should look like the standard /etc/pam.d/sudo file with the new pam_tid.so line added at the top. Save and exit (Ctrl+X, then Y).
You can test your Touch ID prompt immediately by opening a new terminal session and running:
sudo -lYour Mac should prompt you with a Touch ID dialog instead of a password prompt.
Enable Touch ID Support in iTerm2
Touch ID for sudo works out of the box in the native Terminal app. For iTerm2, one additional setting is required.
Go to iTerm2 → Preferences → Advanced and search for:
Allow session to surviveChange “Allow session to survive logging out and back in.” to No.
You can test your Touch ID prompt in iTerm2 by opening a new session and running:
sudo -l