Holy. Cow. Just enabled sudo via Touch ID on my MBA. This. Changes. Everything.

All I had to do was edit /etc/pam.d/sudo and add the line

auth sufficient pam_tid.so

Awe. Some.

Now all they need to do is add in something you “know”, and they’d have some relatively robust security going on there.