Sudo With Touch ID
Security and convenience are not best of the friends. Good password/pin practices are not convenience (long, different for each system, random). Biometric authentication is somewhat a good compromise.
Logging into your machine is a very repetitive task. I do it enough time is a day to be annoyed of long passwords. Additionally, I work a lot on command line so I do find myself running commands with
sudo a lot. Here is something that help me reduce some annoyance out of these.
You can setup your mac (may be other fingerprint enabled linux system) to use fingerprint based authentication. Most Mac users use this for login purpose. But till today I did not think about using fingerprint for
sudo commands. After a quick search I stumbled on the original port on iMore.
Original Post https://www.imore.com/how-use-sudo-your-mac-touch-id
Alternative Method 1: Via vi
If you are like me, and prefer using Terminal and vi, here is the method
1sudo vi /private/etc/pam.d/sudo
Goto line 2 and start a new line (
2Go-  + [Shift + G] + [o])
Paste this line
1auth sufficient pam_tid.so
Exit edit mode - [Esc]
Save and quit (
:wq!- [:] +[w] + [q] + [!] + [Enter])
Alternative Method 2: One Liner
Just run this command
1sudo sed -ie '1 a\ 2auth sufficient pam_tid.so 3' /private/etc/pam.d/sudo
Or this if you have gnu-sed on your mac
1sudo gsed -i '1 a auth sufficient pam_tid.so' /private/etc/pam.d/sudo
Its very common for enterprises to sync local password with your IDP (Example: Okta). I use a very long and different (for every system) passwords. I can get away with the hassle by using a password manager. My personal favorite is Safe In Cloud.
So, there is no way I can type it over and over again, every time I lock my machine
or run commands with
sudo. Additionally, I didn't want to put
sudoers config. I find that risky, as I run all sorts of random scripts on my
machine. So, using TouchID instead of password seems like a safe thing.
I have also used the PIV function of Yubikey for PIN based login, instead of password. That works too. But since I do find myself in public places with really smart people, giving away PIN is a big possibility. So, biometric lock seems safer.