Holy. Cow. Just enabled sudo via Touch ID on my MBA. This. Changes. Everything.
All I had to do was edit /etc/pam.d/sudo and add the line
auth sufficient pam_tid.so
Now all they need to do is add in something you “know”, and they’d have some relatively robust security going on there.