Touch ID for only certain functions (putting restricting on auth sufficient pam_tid.so)

This what ChatGPT has to say about this so take it for what it is...AI

Yes, Touch ID authentication on macOS can be restricted to specific functions, but only within the boundaries Apple allows through its system and developer APIs:

1. System-Level Restrictions (Apple-defined)

Touch ID is used for:

• Unlocking the Mac
• Apple Pay / App Store / iTunes purchases
• Password autofill / Safari passwords
• Approving system settings and locked preferences
• Approving sudo actions in Terminal (on supported macOS versions)

These cannot be customized by users beyond enabling/disabling them in System Settings > Touch ID & Password.

2. App-Level Restrictions (Developer-controlled)

App developers can selectively require Touch ID for specific app functions using the LocalAuthentication framework:

• Developers define which features or screens require authentication.
• Touch ID can be used to protect access to sensitive content or actions (e.g., financial data, secure notes, etc.).
• The app can fall back to a password or other form of authentication if Touch ID fails or is not available.

💡 Example: A notes app may require Touch ID only to access a specific "locked notes" section.

3. Terminal (Advanced) – sudo with Touch ID

You can restrict sudo commands to require Touch ID on supported Macs:

sudo nano /etc/pam.d/sudo

Add this at the top:

auth       sufficient     pam_tid.so

Now Touch ID will be required for sudo — but only for Terminal actions.

Summary

• Users can’t set Touch ID for arbitrary system functions.
• Developers can selectively require Touch ID within their own apps.
• Advanced users can configure certain security prompts like sudo to require Touch ID.

Let me know if you want help with Terminal setup or writing an app script with Touch ID.

lkrupp wrote:

This what ChatGPT has to say about this so take it for what it is...AI

3. Terminal (Advanced) – sudo with Touch ID

You can restrict sudo commands to require Touch ID on supported Macs:

sudo nano /etc/pam.d/sudo

Add this at the top:

auth sufficient pam_tid.so

Now Touch ID will be required for sudo — but only for Terminal actions.

FYI, I found this article which explains how to enable TouchID for the Terminal "sudo". According to this article Apple made a change to macOS where this configuration setting can be retained even after OS updates.

https://blog.adriankwiatkowski.eu/enabling-touch-id-sudo-macos-before-after-sonoma/

Disclaimer: I have not personally tried it.

Didi Poujah wrote:

Hello,

I know it's possible to authenticate sudo commands using Touch ID, but I want to restrict which commands I can do that with. For example, if I want to delete/move/change permissions and owners of any files I want to use my password, but things like installing an application from well known developers or creating new files I'd like to use Touch ID (I hope this makes sense)!

Is there any way to do that?

I don't want to be able to do anything too risky with sudo Touch ID, please let me know!

You can see your options:

submit your Apple Feedback here: Product Feedback - Apple