Since the release of macOS High Sierra, it has been possible to enable Touch ID authentication for the sudo tool. However, the necessary modifications needed to be re-applied after every update to macOS because the modified file would get overwritten with the OS’s default values each time macOS was updated.

As of macOS Sonoma though, this modification can now be persistent. Apple included the following note as part of the the What’s new for enterprise in macOS Sonoma KBase article:

Touch ID can be allowed for sudo with a configuration that persists across software updates using /etc/pam.d/sudo_local. See /etc/pam.d/sudo_local.template for details.

When examined on macOS Sonoma 14.0.0, the contents of the /etc/pam.d/sudo_local.template file are as shown below:

Copying the /etc/pam.d/sudo_local.template file to /etc/pam.d/sudo_local and uncommenting the indicated line allows Touch ID to work for authentication to the sudo tool.

To assist with the process of enabling and disabling Touch ID authentication for the sudo tool, I’ve written a couple of scripts. For more details, please see below the jump.

The scripts are available via the link below:

https://github.com/rtrouton/rtrouton_scripts/tree/main/rtrouton_scripts/enable_and_disable_touch_id_for_sudo

There are two scripts available at the above location:

• enable_touch_id_auth_for_sudo.sh: Enables Touch ID identification for the sudo tool.
• disable_sudo_touch_id_auth.sh: Disables Touch ID identification for the sudo tool.

Both scripts are set to check if they are being run on macOS Sonoma or later, and will exit with a message if they are run on an earlier version of macOS.