Every year at TidBITS we write a series of fabricated articles for April Fools’ Day. Our goal is to start with a nugget of reality that slowly expands to the amusingly implausible. Sometimes our articles eventually come true (for my most recent hit, see “iCloud for Families Debuts,” 1 April 2013), and sometimes we realize that an idea strikes too close to reality to include in that issue.
That’s exactly what happened when I started an article on some increasingly ridiculous ways the Apple Watch could enhance security as a second (after your iPhone) physical device an owner is likely to have, well, on hand. (Sorry.) The idea of leveraging the Apple Watch to improve authentication is irresistible to a security pro like me, and I strongly suspect we will see it happen before the next version of the Apple Watch hits the market. Here is how it might work, and the implications.
Who Are You? — Identity and Access Management (IAM) is the entire process of managing digital identities, and how they can access electronic systems. It includes everything from provisioning and propagating an identity (like your TidBITS account), to determining specific actions you can take on a system or in an application, like reading a file or sending a message. The part most familiar to average users is the process of proving that someone is who she says she is, which we call “authentication.” This is a source of ongoing angst since it is typically inconvenient for users (you have to remember and enter passwords), and, if authentication credentials are
compromised, they allow an attacker to take over an account completely.
When you authenticate, you provide an identifier (typically a username) and then something to prove you “own” that account. That can be something you know (a password), something you have (a token, or a code sent to a known phone), or something you are (a fingerprint). Use only one, like a password, and it’s called single-factor authentication. Use two, like a password and a one-time code sent to a phone, and it’s called two-factor authentication. Use even more factors, and we give up counting and just call it multi-factor authentication.
The most common combination, used by services such as iCloud, Dropbox, and Evernote, is your password and a 4–6 character code sent to your phone as a push notification or text message. Another option is a Time-Based One-Time Password (TOTP), which is a code generated every minute or so using an algorithm that keeps it in sync with a server; you use an iOS app like Google Authenticator, Authy, or 1Password for this. Touch ID on your iPhone is actually still single-factor authentication since only one thing (your fingerprint) is used to unlock your phone. It isn’t more secure, it’s just more convenient, and allows you to more easily use a longer
password on a day-to-day basis.
Enter the Apple Token — The Apple Watch is fascinating since everyone with an Apple Watch will also have an iPhone, meaning all those users have two physical tokens handy most of the time. The question then becomes how to best leverage this extra device in a security context.
The iPhone (or any phone) makes a good token because most of us nearly always have it nearby, it’s portable, and it has a separate communications channel (text messages) tied to the identity of the device. That’s why combining it with a password is growing more common, and it adds an extra layer of security. But it still isn’t perfect. Lose your phone and those codes may be exposed, especially if you use a weak passcode to lock the device. That’s why you still need to remember passwords, since providers can’t trust the phone alone. Or even worse, you may be locked out of your accounts after losing your phone.
Add an Apple Watch and we can now use the connection between the Apple Watch and the iPhone as an additional factor, assuming the identity of either can’t be spoofed. At the simplest level, the possession of both the Apple Watch and its associated iPhone can be used as two additional authentication tokens. Combine that with a password, and you have three tokens. Imagine using this for iCloud — Apple would send a message to your registered iPhone, which you would confirm with your unlocked Apple Watch, which proves you have both devices in hand (or close enough).
Although someone could potentially steal both your iPhone and Apple Watch at the same time, they would need to do so in a way that doesn’t lock the Apple Watch after it stops detecting your pulse. It’s possible, but certainly not likely.
Creative Biometrics — Apple could reduce even that minimal risk by also keeping Touch ID (or your iPhone passcode) in the picture. The message would hit your iPhone and you would need to validate it by first unlocking your iPhone before confirming receipt on the Apple Watch. That hopefully proves that you have both the iPhone and the Apple Watch at the same time. You could even skip any sort of code entering on the Apple Watch (or any interaction at all) and merely register its physical proximity.
I use a multi-factor authentication system that’s similar to this model, minus the Apple Watch. My iPhone is registered with Duo Security, and I also have their app on my iPhone. When I go to log in to certain services it sends a push notification to my iPhone through the Duo service. I unlock my iPhone (typically using Touch ID) and then tap a big button in the app to prove I have the iPhone and the credentials to unlock it. No need to enter a code. (Duo also supports other, more traditional multi-factor authentication options in case you aren’t on a network).
Set up the system properly and you have multi-factor authentication that could be incredibly convenient. Depending on the depth of security requirements, a service like Duo or Authy (see “Authy Protects Your Two-Factor Authentication Tokens,” 6 November 2014) could merely require that your iPhone and Apple Watch are connected via Bluetooth, that the Apple Watch is unlocked and on your wrist (tied to the heartbeat sensor), and that you tap a button in an Apple Watch app to authenticate. Or it could require you to also unlock your iPhone with Touch ID. Security that’s protected by two physical devices validated to be in possession of the user is
extremely strong, yet all you need to do is tap a notification on your Apple Watch.
That’s the key to a system like this — adaptive authentication that supports multiple options, increasing security requirements if anything looks out of place. Most banks already do this by tracking which devices and browsers you use, requiring extra questions for new ones, and backing that up by sending email to your registered address if anything changes.
This could even include voice analysis. Far from being science fiction, my bank, in its iPhone app, allows me to authenticate with my voice or facial recognition. It’s acceptable only when performed from a device I previously registered and validated with my passphrase, PIN, and answers to security questions. The iPhone itself also has to have a system passcode enabled. That’s two-factor authentication without me having to enter the bank account passcode every time. Yes, I can think of ways around this, but it is more than sufficient for average users (and my current bank balance).
That’s why this article failed as an April Fools Day piece. We already have scenarios where even banks accept a phone as one authentication factor and a biometric reading as another, all without requiring a passphrase except when you register a new device. We already have push notification-based authentication that requires only a tap, without entering a code into your Web browser. Some of you working in IT may even have a physical token you use with your mobile device in very similar models.
Add the Mac to the Security Equation — The Apple Watch could even enhance the security of our Macs. OS X 10.10 Yosemite’s Continuity feature already allows all Apple devices registered with the same iCloud account to communicate behind the scenes when in physical proximity. For instance, I’ve become dependent on the Instant Hotspot feature to connect my Mac to the Internet via my iPhone or iPad when traveling.
Imagine walking up to your Mac, tapping the Space bar to wake it up, and then tapping an approval notification on your Apple Watch (or perhaps proximity would be sufficient). You will still need a (hopefully strong) passphrase to unlock the Mac after a restart, or maybe after the devices switch networks or lose their Bluetooth connection, but the watch could become a convenient tool to log in. Again, this is nothing new, and there are third-party apps and devices on the market to do exactly that. The advantage of building it into the Mac is it would work as seamlessly as the rest of Continuity, and could potentially be used to log different users in to different accounts on a shared family computer.
The same mechanism could be used to log in to Web sites. I can easily see a version of 1Password (or one of its competitors) that unlocks itself on the Mac by using your iPhone and Apple Watch for authentication instead of a passphrase.
All this excites me, because adding a second physical device you nearly always have with you opens up options beyond even this speculation. That’s especially true when you consider adaptive authentication, and models that let you mix and match security requirements under different conditions and combinations of devices. While it sounds complex, and it certainly is on the back end, this sort of multi-factor authentication has the potential to simplify the user experience, all while increasing security. That seems like the sort of challenge Apple enjoys tackling.