Six Colors
Six Colors

by Jason Snell & Dan Moren

This Week's Sponsor

End users aren't your enemy! Kolide gets users to fix their own device compliance problems–and unsecure devices can't log in. Click here to learn how.

By Dan Moren

Quick Tip: Enable Touch ID for sudo

Update: As of macOS Sonoma, there’s a new and improved method for enabling this feature that’s designed to survive a system update.

My new MacBook Air is proving to be all that I’d hoped, and it’s not just because of the fancy new M1 processors. Since I’m coming from a 2014 MacBook, I’m reaping the benefits of all the other advancements Apple has made to its laptop line in the intervening years, and prime among those is the incorporation of Touch ID: I’ve already enabled it for 1Password (what a lifesaver) and, thanks to a tip from Twitter follower Josef, I can bring it to one of my other favorite places: the command line.

Josef pointed out that it’s relatively easy to add Touch ID support for sudo, the Terminal command that allows you to temporarily grant yourself the powers of the superuser, to do things that no mortal user can do! (Think of it as the command-line equivalent of typing your administrator password in that dialog box that pops up when you want to make a system-level change.)

The good news is that Apple has done most of the heavy lifting here by having built a pluggable authentication module (PAM) for Touch ID; all you need to do is essentially turn it on, which takes just a few simple steps.

First, open up Terminal. Navigate to the directory where the system stores the list of PAMs by typing cd /etc/pam.d/ and open the sudo file there in your favorite command-line text editor.1 (You can also always use a GUI editor like BBEdit too.) Note that if you open it via the command-line, you’ll need to use sudo itself to do so, since the file is (understandably) protected.

Once you’ve opened it, add the following below the first line (you’ll see the headers under which each of the entries goes):

auth sufficient

That line basically tells the sudo command that the Touch ID authentication module is sufficient to authorize the user, which is all you need to do.

Sudo with Touch ID

Save the file and you’re done! Now, the next time you use the sudo command, instead of being prompted for your password, you’ll get a dialog box asking you to authenticate with Touch ID, just as you would any other time you needed to authenticate. (And, as an extra bonus, if you choose to click the Enter Password, you’ll get prompted to use either the password or your Apple Watch, if you have one.)

  1. I’m going to forestall the vi versus emacs debate by saying I’m a pico/nano guy, don’t @ me. 

[Dan Moren is the East Coast Bureau Chief of Six Colors. You can find him on Mastodon at or reach him by email at His latest novel, the supernatural detective story All Souls Lost, is now available for pre-order.]

If you appreciate articles like this one, support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories, and a special community.

Search Six Colors