Use Touch ID for Terminal Passwords on macOS

As a software engineer, you likely spend a significant amount of time in the terminal, executing commands that often require sudo privileges. Typing your password repeatedly can become a tedious interruption to your flow. Did you know that you can leverage your Mac's Touch ID to authenticate these commands with just a touch of your finger?

This feature, when enabled, provides a more convenient and equally secure way to authorize actions in the terminal that require elevated permissions. Let's dive into how you can set this up on your macOS machine.

What is PAM and Why Do We Modify It?

Before we get to the how, let's briefly touch upon the "why." macOS, like other Unix-like systems, uses a framework called PAM (Pluggable Authentication Modules) to handle authentication tasks. PAM acts as a layer between applications (like your terminal) and the actual authentication methods (like passwords, Touch ID, etc.).

PAM uses configuration files to determine how a user should be authenticated for a specific service. By modifying the PAM configuration file for sudo, we can instruct the system to accept Touch ID as a valid authentication method.

Enabling Touch ID for sudo

The process involves editing a PAM configuration file. The specific file differs slightly depending on your macOS version.

For macOS Sonoma (and later):

macOS Sonoma introduced a change that makes this modification more persistent across system updates by using a dedicated local configuration file.

1. Open Terminal: Launch the Terminal application from your Applications > Utilities folder or via Spotlight search.

2. Copy the template file: We'll create a local configuration file based on a template. Run the following command and enter your administrator password when prompted:

    sudo cp /etc/pam.d/sudo_local.template /etc/pam.d/sudo_local
   

3. Edit the configuration file: Now, open the copied file for editing using a command-line text editor like nano:

    sudo nano /etc/pam.d/sudo_local
   

4. Uncomment the Touch ID line: Look for the line that starts with # auth sufficient pam_tid.so. This line is commented out by default. Remove the # at the beginning of the line to uncomment it. The line should now look exactly like this:

    auth sufficient pam_tid.so
   

5. Save and Exit: Save the changes to the file. If you're using nano, press Control + O, then hit Enter to confirm the filename, and finally press Control + X to exit the editor.

For macOS versions prior to Sonoma:

If you are using an older version of macOS, you will directly edit the main sudo PAM configuration file. Be aware that this change may be reset after a macOS system update, requiring you to repeat these steps.

1. Open Terminal: Launch the Terminal application.

2. Edit the sudo configuration file: Open the sudo PAM file for editing with nano:

    sudo nano /etc/pam.d/sudo
   

3. Add the Touch ID line: Add the line auth sufficient pam_tid.so at the beginning of the file, just below any lines that start with a # (which are comments). It should look something like this:

    # sudo: auth account password session
    auth sufficient pam_tid.so
    auth include sudo_local
    # ... rest of the file ...
   

   Make sure auth sufficient pam_tid.so is above auth include sudo_local if that line exists.

4. Save and Exit: Save the file and exit the editor (using Control + O, Enter, and Control + X in nano).

Testing Your Setup

After making the changes and saving the file, close and reopen your Terminal application to ensure the new configuration is loaded.

Now, try running a command that requires sudo, such as:

sudo ls /private/var/root