You’ve got this shiny toy in your Mac that lets you use your fingerprint for authentication, and for some reason when you need to elevate your privileges, it doesn’t use that sensor. Epic Fail!
Fortunately, the facility is there. Apple just chose not to enable it for some reason only they know. Since MacOS uses PAM, it is very easy to enable the TouchID sensor for sudo (or any other facility that uses PAM for its authentication).
The files you need to look at are in
I recommend before you do any of this, you open a terminal window, and run
sudo -s to get a root shell, and then keep that window to the side. That way if you mess up the sudo file, you can recover the backup of the file you are going to make when yourself out of using sudo.
Edit the file /etc/pam.d/sudo (you need to use sudo, as only root can edit this file) and add the line
auth sufficient pam_tid.so
after the smartcard line. Order matters in this file! This will allow a smartcard to still work without the fingerprint. You could also add it later in the file to make it so that both the password AND your fingerprint is required. PAM is very flexible in this way. But for most people just making the fingerprint work, and fall back to the password if it fails, putting this one line will add the function you want.
The following command will patch the PAM sudo module to enable TouchID (all one line):
echo -ne "2a3\n> auth sufficient pam_tid.so\n" | sudo patch -b /etc/pam.d/sudo
This will create a backup file called
sudo.orig which you can remove once you are sure the patch applied correctly.
Note: Every time Apple updates the OS, you will need to run this command as they restore the file back to their default.