How to use MacOS's Touch ID on Terminal

I know... use a fingerprint scanner and never come back. No need to write passwords, pins or patterns. But on the terminal when we use the magic word sudo ask for your password... yuck!!!

Don't worry. It can be solved easily because with macOS Sonoma, there is now a supported option to enable Touch ID for sudo:

sudo cp /etc/pam.d/sudo_local.template /etc/pam.d/sudo_local
sudo nano /etc/pam.d/sudo_local

Uncoment the last line of the file by removing the # from the start of the line.

# sudo_local: local config file which survives system update and is included for sudo
# uncomment following line to enable Touch ID for sudo
auth       sufficient     pam_tid.so

Save changes with ctrl+x and overwritte the file.

Extra

On the default terminal works like a charm, but on iTerm2 needs an extra configuration. Go to Prefs -> Advanced -> Allow sessions to survive logging out and back in and set the value to no.

Restart and enjoy it.

---

That's All Folks!
Happy Coding 🖖

Comments

[kychanbi]

There is an extra step needed for some guys using display docks.
I followed the above steps, but got GUI password prompt instead of touchID

After I ran this. It works prefect now.
defaults write com.apple.security.authorization ignoreArd -bool TRUE


source: apple.stackexchange.com/questions/...

[Elvis McNeely]

Thanks! After applying this (and the instructions from the author) I started to get the biometric password prompt.

[Diego]

Awesome. Works!

[Daiyrbek Artelov]

After each macOS update the file is reset to initial state. Is it possible to somehow automate this process? So after each update some script will run to append the line in the file?

[Ilja Reznik]

this is what I use as an alias in my shell
alias enable-fingerprint="sudo sed -i '1 i\auth sufficient pam_tid.so' /etc/pam.d/sudo"

just make sure that u use gnu-sed (at least that is what I tried)

[Daiyrbek Artelov]

I have tried your approach but with no success. Mine was standard macOS' sed and it requires additional params '' after -i. Anyway I found working variant:

alias fingerprinton="sudo sed -i '' '1s;^;auth sufficient pam_tid.so\n;' /etc/pam.d/sudo"

Anyway thank you

[Ilja Reznik]

that can be cause the gnu-sed and macos' sed are not the same. Nice that you got it to work

[Camilo Martinez]

Maybe with some bash/zsh script.

[Ben Halpern]

Really slick UX here

[Gabriel Basilio Brito]

Works like a charm

[Miguel Tineo]

Just perfect! 👏

[Andrés Reyes Galgani]

Gracias amigo y ¡¡Viva Colombia!!

Saludos desde Chile 🇨🇱

[Camilo Martinez]

Con gusto Andrés!

[Moataz Elmasry]

Many thanks. Works great!!!

[Brett Stevenson]

This is great! Just what I was looking for!

[phantomfactotum]

Bless your soul

[Sethu Senthil]

Is there a way to make this work on the VS Code integrated terminal?

[Camilo Martinez]

I used to have this configuration, and also works on VS Code.

{
    "terminal.external.osxExec": "iTerm.app",
    "terminal.integrated.fontFamily": "MesloLGS NF",
    "terminal.integrated.fontSize": 14,
    "terminal.integrated.shell.osx": "zsh",
    "terminal.integrated.shellIntegration.enabled": true,
}