Recent macbooks have a fingerprint reader, which is typically used to unlock the computer and log in.

It is also possible to use it for sudo authentication via PAM:

% $EDITOR /etc/pam.d/sudo       
# sudo: auth account password session
auth       sufficient             # <== add this line
auth       sufficient
auth       required
account    required
password   required
session    required

Once the file is saved with the added line, a command with sudo will spawn the touch ID prompt. I confirmed it works on both and Kitty.

This solution does not work within tmux (confirmed), and apparently within iTerm2 as well (not confirmed). A separate PAM module is needed to do so ( I’d rather keep my core dependencies surface small though and not include a third party, so for now I am satisfied with the native touch ID module.