Don’t get me wrong; I love my MacBook Pro and I love my Apple Watch. I was a first-adopter of the original Series 0 watch and wore it religiously until the battery life dropped to an hour or two and then the battery itself decided that after four years of service it was going to swell to the point that it popped the screen off of the thing, forcing me to go out and buy a new one. And by “forcing” I mean enabling, and by “enabling” I mean giving me the slight excuse I needed to go buy another thing.
My current Apple Watch is a Series 3 Space Grey Aluminum. I also have a stainless steel Series 3 that’s sitting in a drawer and that I’ll be trading in when I get round to it; it looks great and feels very solid, but that sucker is heavy to the point that when I put the aluminum one on I wonder if I’ve suddenly become a lot stronger than I thought I was because everything weighs half as much. I love my Apple Watch and it’s basically become indispensable in a world where I shove my phone in my bag most of the time and rely on the thing on my wrist to tell me what time it is, who’s calling me, and how little I’m working out. It’s an amazing gadget, and one of the things it does best is be a proxy for an iPhone. Which is a curse and a blessing when it comes to things like, say, authentication.
The idea goes something like this: if your iPhone can be unlocked by biometric data that positively identifies you as the owner of the device (TouchID or FaceID), then your watch talks to your iPhone and decides that it’s okay for it to unlock itself based off of that lower tier of authentication. And then, if your watch knows that you’re you because your iPhone tells it that’s the case, then can’t the watch itself then act as a proxy form of authentication for your computer?
I mean, it makes sense in a very practical way. Apple puts reasonable protections in place – the iCloud account you’re using has to have two-factor authentication set up – and it all seems pretty clever – once you get past the idea that your computer identifies you from your watch which identifies you from your iPhone which identifies you from your face or fingerprint, that is. It smacks of a bunch of kids standing on each others’ shoulders wearing an enormous overcoat to get into an R-rated movie, but nonetheless you can’t really fault the basic core of the idea. And really, it works well in reality too; Bluetooth Low Energy (BLE) does its job the way you expect it will.
This might be a good time and place to dip – in a very cursory fashion – into what Bluetooth actually is. Which is, confusingly, two entirely different things that don’t talk to each other. What we’ve traditionally considered as Bluetooth is Bluetooth “Classic”. It enjoys a robust data rate that allows you to transmit and receive data at a high rate, which makes it perfect for applications like media streaming to speakers – it ensures a constant flow of data between source and destination at distances up to 100 meters on the 2.4GHz spectrum. The other technology is Bluetooth Low Energy (or BLE for those of us who don’t want to type that out every time), which while it uses the same frequency and enjoys the same (if not greater range) isn’t designed for the kind of throughput you get from Bluetooth Classic. BLE is used in industries and applications where connectivity and small data transfers are preferred, which at the moment mostly means wearables and thus mostly means Apple Watches. While BLE technically enjoys the same range as Bluetooth Classic the proximity-sensing function of it is active within a much shorter range (about 1-2 meters).
In the case of my 16″ MacBook Pro and my Series 3 watch, it’s exactly 60″. I know this because I spent an enjoyable afternoon with a tape measure, a watch, a laptop, and a cat who tried to sit on all three at some point. With the “Unlock with Apple Watch” option checked in the Security Preference Pane I was able to unlock the laptop with the watch reliably at that distance before hitting the proverbial wall. That’s five feet from the laptop, and common sense would dictate that if you’re five feet’s worth of lunging distance from your computer then you’re probably going to be able to stop some miscreant from getting on there and causing much havoc.
In fact, it’s almost a certainty that you’ll be able to do that. Especially if your Mac is a desktop, as desktops are notoriously difficult to pick up with one hand and walk away with. You can probably see where I’m going with this; while you can bring your Apple Watch into close proximity with your laptop and unlock your way in you can also bring your laptop into close proximity with your watch and achieve the same result. And I know this because I’ve done it.
Just so we’re clear: I didn’t steal anyone’s laptop. In fact, I asked a friend of mine who works in a coffee shop to wait for me to go to the restroom, pick up my MacBook Pro, walk up to the restroom door and then see if it would unlock. He did, and it did, and if I’d been sans pants in a locked room then he could have escaped out of the back door with my unlocked laptop containing a ton of privileged data. As it is he charged me five dollars for two shots of espresso, so it’s not like the man is a saint.
Which brings me to the crux of the matter; you have to exhibit a little common sense when it comes to matters of authentication and access. The use case of a laptop wielding maniac loitering outside a restroom is a statistical long shot, but in an office with a ton of people wandering around it’s not improbable that this kind of attack could be carried off pretty efficiently…