Enabling Touch ID for sudo on macOS: Before and After Sonoma

In the vast and ever-evolving world of macOS, the highly anticipated release of macOS Sonoma (macOS 14) marked a monumental shift in the way users can enhance the security of their systems by enabling Touch ID authentication for sudo commands.

This post seeks to serve as a detailed guide on the step-by-step process of setting up Touch ID for sudo on both pre-Sonoma versions of macOS as well as the Sonoma (and subsequent) versions. By carefully following the instructions outlined in this post, you can start to leverage the power of Touch ID and take your macOS experience to new heights of convenience and security.

⚠️ Modifying PAM configurations can make your system unusable if done incorrectly. Proceed with caution.

Before macOS Sonoma (Pre-macOS 14)

Prior to macOS Sonoma, enabling Touch ID for sudo required modifications to the /etc/pam.d/sudo file. Here's how you could set it up:

1. Open Terminal:
   Launch the Terminal application on your Mac.

2. Edit sudo configuration:
   Use a text editor to open the /etc/pam.d/sudo file. For instance, you can use nano:

   sudo nano /etc/pam.d/sudo
   

3. Add Touch ID rule:
   At the top of the file, add the following line:

   auth       sufficient     pam_tid.so
   

4. Save and close:
   Save the file and close the editor. In nano, you'd press Ctrl + X, then Y to confirm, and Enter to exit.

5. Test configuration:
   Now, when you use the sudo command in Terminal, you should be prompted for a fingerprint scan instead of a password.

🔔 Note: This file will be overwritten after EVERY macOS update, even for minor system updates. Therefore, you need to redo the instructions in order to use this functionality. It is important to keep this in mind and ensure that you follow the steps again after each macOS update to maintain the Touch ID authentication for sudo.

macOS Sonoma (macOS 14) and Later

Good news! With macOS Sonoma, Apple introduced a new file, /etc/pam.d/sudo_local, allowing users to retain their Touch ID sudo configurations across system updates. Here's how to set it up:

1. Check for sudo_local.template:
   macOS Sonoma should come with a template file named sudo_local.template. Ensure it exists:

   ls /etc/pam.d/sudo_local.template
   

2. Create sudo_local from the template:
   If sudo_local.template exists, copy it to create sudo_local:

   sudo cp /etc/pam.d/sudo_local.template /etc/pam.d/sudo_local
   

3. Edit sudo_local configuration:
   Open sudo_local in a text editor, for example:

   sudo nano /etc/pam.d/sudo_local
   

4. Uncomment Touch ID rule:
   Uncomment the Touch ID rule by removing the # at the beginning of the line:

   #auth       sufficient     pam_tid.so
   

   to

   auth       sufficient     pam_tid.so
   

5. Save, close, and test:
   Save the file, close the editor, and test your configuration by using the sudo command in Terminal.

The final file based on the template with our modifications should look like this:

# sudo_local: local config file which survives system update and is included for sudo
# uncomment following line to enable Touch ID for sudo
auth       sufficient     pam_tid.so

By following these simple steps, you can easily enable Touch ID authentication for sudo on any version of macOS, thus providing users with a smooth and highly secure experience. This feature allows users to conveniently and securely authenticate themselves using their fingerprint, adding an extra layer of protection to their system. With Touch ID authentication for sudo, users can enjoy a seamless and hassle-free authentication process while ensuring the utmost security for their sensitive information.

⚠️ Please note: it's essential to remember that modifying PAM configurations is a sensitive operation and should be performed with caution. Always ensure you understand each step and command and have backups of your system before running those!