diff --git a/modules/module-list.nix b/modules/module-list.nix
index d4c1b35b..ba84d278 100644
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@@ -29,6 +29,7 @@
   ./system/launchd.nix
   ./system/patches.nix
   ./system/shells.nix
+  ./system/sudo.nix
   ./system/version.nix
   ./time
   ./networking
diff --git a/modules/system/etc-pam.d-sudo.patch b/modules/system/etc-pam.d-sudo.patch
new file mode 100644
index 00000000..fa361b42
--- /dev/null
+++ b/modules/system/etc-pam.d-sudo.patch
@@ -0,0 +1,8 @@
+--- /etc/pam.d/sudo
++++ /etc/pam.d/sudo
+@@ -1,4 +1,5 @@
+ # sudo: auth account password session
++auth       sufficient     pam_tid.so
+ auth       sufficient     pam_smartcard.so
+ auth       required       pam_opendirectory.so
+ account    required       pam_permit.so
diff --git a/modules/system/sudo.nix b/modules/system/sudo.nix
new file mode 100644
index 00000000..d4112edb
--- /dev/null
+++ b/modules/system/sudo.nix
@@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.system.sudo;
+in
+
+{
+  options = {
+    system.sudo.touchid.enable = mkEnableOption "Enable sudo authentication with Touch ID";
+  };
+
+  config = mkIf cfg.touchid.enable { system.patches = [ ./etc-pam.d-sudo.patch ]; };
+}