TIL: For a consistent fingerprint auth experience on Mac, for both GUI and CLI, I learned that I can add this snippet to the top of /etc/pam.d/sudo:
auth sufficient pam_tid.so
and now everytime I get a password prompt, I instead get a fingerprint popup modal. Saves a ton of time if you have a longer password.