Just a reminder for myself:
To enable the fingerprint reader on a MacBook to be sufficient for sudo, just create a file /etc/pam.d/sudo_local (probably a copy of /etc/pam.d/sudo_local.template) and add the line
auth sufficient pam_tid.so
Or use ansible: