You’ve got this shiny toy in your Mac that lets you use your fingerprint for authentication, and for some reason when you need to elevate your privileges, it doesn’t use that sensor. Epic Fail!
Fortunately, the facility is there. Apple just chose not to enable it for some reason only they know. Since MacOS uses PAM, it is very easy to enable the TouchID sensor for sudo (or any other facility that uses PAM for its authentication).
The files you need to look at are in /etc/pam.d
.
I recommend before you do any of this, you open a terminal window, and run sudo -s
to get a root shell, and then keep that window to the side. That way if you mess up the sudo file, you can recover the backup of the file you are going to make when yourself out of using sudo.
Edit the file /etc/pam.d/sudo (you need to use sudo, as only root can edit this file) and add the line
auth sufficient pam_tid.so
after the smartcard line. Order matters in this file! This will allow a smartcard to still work without the fingerprint. You could also add it later in the file to make it so that both the password AND your fingerprint is required. PAM is very flexible in this way. But for most people just making the fingerprint work, and fall back to the password if it fails, putting this one line will add the function you want.
The following command will patch the PAM sudo module to enable TouchID (all one line):
echo -ne "2a3\n> auth sufficient pam_tid.so\n" | sudo patch -b /etc/pam.d/sudo
This will create a backup file called sudo.orig
which you can remove once you are sure the patch applied correctly.
Note: Every time Apple updates the OS, you will need to run this command as they restore the file back to their default.
Here is a script you can use that will update the pam setting if it has not already been updated, and leave it alone if it’s already installed:
#!/bin/bash
if [ $( whoami ) == "root" ]
then
{
if [[ $( grep pam_tid.so /etc/pam.d/sudo ) ]]
then
echo "TouchID already enabled"
else
sed -i '' '1 a\
auth sufficient pam_tid.so\
' /etc/pam.d/sudo
echo "Enabling TouchID for sudo";
fi
}
else
echo "You must be root (sudo) to run this."
fi