Picked up this tip from @cabel related to
If you have a Macbook Pro with Touch ID (i.e. Touch Bar) support, you can enable Touch ID for sudo by adding this line as the 1st line after
auth sufficient pam_tid.so in the file
auth sufficient pam_tid.so
If Touch ID prompt doesn't appear until you keyed in the wrong password, chances are you added the line correctly, but not at the top.