GitHub - Divide-By-0/macos-sudo-touchid: Use touch id instead of your password for sudo on macos

2 min read Original article ↗

Small macOS utility for enabling Touch ID with sudo, including the session and screen-observation fixes that commonly make sudo fall back to password-only prompts.

One-Line Install And Enable

This installs sudo-touchid-fix and tsudo, enables Touch ID for sudo, installs pam-reattach with Homebrew if needed, and applies the current-user ignoreArd workaround:

curl -fsSL https://raw.githubusercontent.com/Divide-By-0/macos-sudo-touchid/main/install.sh | bash -s -- --enable --install-reattach

Then test a fresh sudo authentication:

Why The ignoreArd Workaround Is Included

macOS can suppress Touch ID, Apple Watch, and smartcard authentication when it thinks the screen is being watched, recorded, mirrored, or remotely accessible. When that happens, pam_tid.so is configured correctly but the sudo prompt still falls back to password only.

This utility runs the current-user workaround by default:

defaults write com.apple.security.authorization ignoreArd -bool TRUE

That setting is required on some machines for Touch ID sudo to work while screen sharing, screen recording, Chrome Remote Desktop, DisplayLink-like display paths, or similar observation paths are active. It is a security tradeoff because it allows biometric authorization even when macOS thinks the screen is observed.

To opt out:

sudo-touchid-fix enable --no-ignore-ard

To remove the setting later:

sudo-touchid-fix disable-ignore-ard

Commands

sudo-touchid-fix status
sudo-touchid-fix enable --install-reattach
sudo-touchid-fix test
sudo-touchid-fix disable-ignore-ard

enable updates /etc/pam.d/sudo_local, keeping a timestamped backup next to it. On Apple Silicon, pam-reattach is added before pam_tid.so when available:

auth       optional       /opt/homebrew/lib/pam/pam_reattach.so ignore_ssh
auth       sufficient     pam_tid.so

Showing The Command Before Touch ID

macOS controls the Touch ID authorization sheet, so this utility cannot put the exact sudo command inside the biometric popup itself.

Use tsudo when you want the command displayed immediately before authentication and in the password fallback prompt:

tsudo launchctl kickstart -k system/com.example.service

It prints:

sudo approving: launchctl kickstart -k system/com.example.service

Then it runs the command through sudo.

Manual Install

git clone https://github.com/Divide-By-0/macos-sudo-touchid.git
cd macos-sudo-touchid
make install
sudo-touchid-fix enable --install-reattach

Requirements

  • macOS Sonoma or newer is recommended.
  • Touch ID must be enabled for the current user.
  • Homebrew is only needed for --install-reattach.