Can the Watch change it's power class dynamically?
Apparently Apple has figured it out.
Would putting the class 3 antenna in the Mac solve that? Then the Mac is the device controlling the range requirement. Just a thought, by no means am I a Bluetooth expert
If they were going to rely on new hardware, why not go for NFC?
If I were to begin writing a security plan with the Apple Watch as a way to unlock a system, I'd be very nervous. I understand it's acceptable for ApplePay because it has more than one requirement to make it to work: 1) Watch attached to wrist, and 2) Watch authenticated to iPhone using PIN or TouchID (my emphasis, I wouldn't allow just the PIN), and 3) iPhone must be present. On the surface I might have been able to justify this combination but I'd like a few other questions answered before I would even have attempt to include it as a secure means of unlocking a computer.
1. Does the Apple Watch have some way of authenticating to the wrist it is attached to? Don't start laughing because if it doesn't, the FBI and other law enforcement people could simply attach the Apple Watch to their wrist, get close to a locked Mac and it would unlock.
2. How long does the authentication process stay in effect before the user has to re-authenticate their Apple Watch? If the time period isn't too long, say one day, then it might be acceptable and make #1 moot.
3. How secure and anti-sniffing is the version of Bluetooth used in all these devices? Can a hacker walk around with a sniffer in their pocket and sniff the Bluetooth communication going on between the devices and, most importantly, simulate it enough to unlock the computer the minute the user steps away?
4. When the user leaves their Mac, does the computer get automatically locked? If so, from how far away. If not, this is a feature I'd absolutely demand and I'd want the distance to be minimal, like maybe 10 feet.
5. The hardest part with getting this new feature approved for use on government computers is the unfortunate fact that the US government continues to ignore Macs and Mac security. They have begun to use iOS devices and have approved configurations (there are approved configured for Macs but they really could care less). In order for this combination of hardware to be approved for government use, all three devices would need to be approved individually then the unlocking process specifically approved. The government isn't going to "waste" its time doing this so Apple needs to step up and make sure that before macOS Sierra is released all the updated security enhancements have been documented and approved by NIST, NSA, and the US government. I'm not holding my breath so I see this feature as being fun for Apple Watch users but doubt it will ever be used within the enterprise or government installation. Apple, please prove my wrong.
The watch has the option to be made to require a PIN to enable it. This falls under the same logic as the PIN on the phone. The watch loses authentication if it is removed from the user's wrist or the battery dies. If the FBI had your watch they would have to know the code to authorize it no matter who's wrist they put it on.
I suspect the unlock feature for the mac would use the same encrypted tokenized method that unlocking the watch from the phone using Touch ID uses. It is not simply detecting the presence of a BT MAC ID. Sniffing will never let you know which token will unlock the computer. There are numerous and far easier ways to capture passwords from a keyboard. In fact, if BT sniffing was actually possible it would be better to just sniff bluetooth keyboards and key log everything someone typed.
Range is most likely going to be determined by signal strength. If the setting is allowed at all, it will be something you will have to adjust for your environment. My guess is Apple will make it so it reliably works well just a few feet away if they don't allow it to be user configurable.
I have worked with many government agencies and have specifically worked with CAC integration. The gov has no issues using Macs. Apple has rarely implemented a security protocol or method that they objected to that could not be disabled in favor of their own. Apple's support of industry standard directory services (and even active directory) over the last 10+ years has done more positive to place Macs in the gov than any user interface gimmick has done to sideline them. The places where Apple still struggles to gain acceptance is where the agencies are still heavily invested in legacy windows (and even DOS based) software. Even Microsoft and PC makers are now having a hard time fulfilling these needs.
The NSA (et. al) doesn't deeply scrutinize and vet the vast majority of products or the vendors the various government agencies procure from. Only a very tiny fraction of installations require that kind of scrutiny. Even a big chunk of the IT tech on military installations is on par with whatever you can buy at your local Staples. Most agencies are free to buy whatever their budgets allow and their IT departments prefer. Politics plays more role in these decisions than any technical aspect.
Would putting the class 3 antenna in the Mac solve that? Then the Mac is the device controlling the range requirement. Just a thought, by no means am I a Bluetooth expert
If they were going to rely on new hardware, why not go for NFC?
While BT's max distance is excessive for this usage and NFC's closed magnetic loop has obvious benefits when dealing with proximal security between two wireless nodes, I think you'll find that NFC's max distance is far too short for this to be useful.
Let's say it auto locks after 2 minutes away from the keyboard (which I think is far too long) even having your wrist off to one side or working between both parts of an L-shaped desk seems problematic. Maybe the next gen NFC could resolve that, but I think BT has more than enough features to make it by-far the most ideal option.
As mentioned, apps like Knock or MacID can be used with the iPhone. It just makes more sense to use the Watch, ploy or not.
I checked out Knock on the App store. By most accounts the app is highly unreliable. I'd never buy an app with that many reviews with such a low average rating.
surprised this doesn't work with the iPhone as well
Also I've always been curious, how does the apple watch verify your identity without touchID?
The watch requires a PIN to authenticate it. If you remove it from your wrist it will require the PIN again to access it. Optionally, It can also be configured to authenticate if you use Touch ID or your code to access the phone it is paired to. But it will also need to be on a wrist in range for this to work.
While BT's max distance is excessive for this usage and NFC's closed magnetic loop has obvious benefits when dealing with proximal security between two wireless nodes, I think you'll find that NFC's max distance is far too short for this to be useful.
Let's say it auto locks after 2 minutes away from the keyboard (which I think is far too long) even having your wrist off to one side or working between both parts of an L-shaped desk seems problematic. Maybe the next gen NFC could resolve that, but I think BT has more than enough features to make it by-far the most ideal option.
Did they say it auto locked when you leave the workstation? I assumed it only unlocked the computer. I for one, often take off the Watch while at work to charge it, so that would be problematic if it logged me out. I think it is simple enough to log out manually because you don't have to type in a password to do that. Just Shift, Command, Q, and Enter. Certainly no reason for it to automatically log out just to walk across the room to retrieve something from the printer. Even Class 3 is too short of a range to remain connected in that case. Anyway, I agree that it probably uses some wireless protocol like BT that is already on Macs so NFC doesn't seem like an appropriate solution. If the computer had to be awake for the watch to unlock it then it could work with the default BT Power Class since you'd have to be close enough to wake it up instead of having it unlock automatically when you arrive in the parking lot.
While BT's max distance is excessive for this usage and NFC's closed magnetic loop has obvious benefits when dealing with proximal security between two wireless nodes, I think you'll find that NFC's max distance is far too short for this to be useful.
Let's say it auto locks after 2 minutes away from the keyboard (which I think is far too long) even having your wrist off to one side or working between both parts of an L-shaped desk seems problematic. Maybe the next gen NFC could resolve that, but I think BT has more than enough features to make it by-far the most ideal option.
Did they say it auto locked when you leave the workstation? I assumed it only unlocked the computer. I for one, often take off the Watch while at work to charge it, so that would be problematic if it logged me out. I think it is simple enough to log out manually because you don't have to type in a password to do that. Just Shift, Command, Q, and Enter. Certainly no reason for it to automatically log out just to walk across the room to retrieve something from the printer. Even Class 3 is too short of a range to remain connected in that case. Anyway, I agree that it probably uses some wireless protocol that is already on most modern Macs so NFC doesn't seem like an appropriate solution. If the computer had to be awake for the watch to unlock it then it could work with the default BT Power Class since you'd have to be close enough to wake it up instead of having it unlock automatically when you arrive in the parking lot.
You can currently set your computer to auto lock after any specific amount of inactivity (and/or configure a hot corner for the screensaver). That is kind of my failsafe. I would like to have the ability to remotely lock the computer from my watch screen just in case I can't remember if I did before I left.
I'm not sure what Apple's approach will be, but If I were to do it, I would make unlocking a close range authenticated connection. And locking to be a longer range (unauthenticated) detection of bluetooth presence. So if your watch was on you desk or charging your computer would remain unlocked until you physically moved it out of range. But to unlock the Mac it will need to be on your wrist and authenticated. So if someone stole you watch from your desk, the Mac would lock and them bringing it back would not unlock it.
While BT's max distance is excessive for this usage and NFC's closed magnetic loop has obvious benefits when dealing with proximal security between two wireless nodes, I think you'll find that NFC's max distance is far too short for this to be useful.
Let's say it auto locks after 2 minutes away from the keyboard (which I think is far too long) even having your wrist off to one side or working between both parts of an L-shaped desk seems problematic. Maybe the next gen NFC could resolve that, but I think BT has more than enough features to make it by-far the most ideal option.
Did they say it auto locked when you leave the workstation? I assumed it only unlocked the computer. I for one, often take off the Watch while at work to charge it, so that would be problematic if it logged me out.
1) If it only unlocks it but doesn't lock it when you're away from the machine, then that's a missed opportunity in several regards.
2a) If you take your Watch off while using your Mac, that's fine, you'll just do what you currently do know to lock and unlock your Mac. If you use it to unlock your Mac and then take it off to charge, I can see it locking again thereby requiring you to a manual authentication via your password.
2b) Do you wear your Watch while sleeping or have an unusual battery issue that prevents you from wearing it during your waking hours?
I think it is simple enough to log out manually because you don't have to type in a password to do that.
I'm not talking about logging out. I'm talking locking. The only reason I even use a screensaver is because I can pair it with a Hot Corner and set it to lock when enabled. Who logs in and out every time they step away from their machine? Hell, I rarely even ever restart my Mac.
Certainly no reason for it to automatically log out just to walk across the room to retrieve something from the printer.
Sure there is. To have a secure workstation you need to have it locked when its unattended. In an office building, especially with cubicles, or if you're using the bathroom at a coffee house, you should always have your 'PC" locked when not in front of it. For most of us, this is a long-established habit; for others, it's something they can't seem to remember.
If the computer had to be awake for the watch to unlock it then it could work with the default BT Power Class since you'd have to be close enough to wake it up instead of having it unlock automatically when you arrive in the parking lot.
Even with a new and improved Power Nap and BT 5 I doubt this could work without your machine being awake.
surprised this doesn't work with the iPhone as well
Also I've always been curious, how does the apple watch verify your identity without touchID?
The watch requires a PIN to authenticate it. If you remove it from your wrist it will require the PIN again to access it. Optionally, It can also be configured to authenticate if you use Touch ID or your code to access the phone it is paired to. But it will also need to be on a wrist in range for this to work.
I wonder if Apple has done anything about that bug that allows an Watch to be transferred from one wrist to another using the palm of your hand without losing authentication. It's not likely to happen, nor anyone to go to such lengths to get into your Mac, but at least when the watch first came out it was technically possible.
I also wonder how it would work with the iPhone? Remember the rumor that said Touch ID might be used to unlock the Mac? Well we know they are connected via Pay, but upon reflection ... how would you unlock it? I guess if you walked away with the phone and came back, the proximity would wake the Mac and ask for your Touch ID, which if in your pocket would require fishing it out, so why not just enter the password on the keyboard? If laying on the desk, you'd have to wake the Mac? Or maybe wake the phone which also wakes the Mac, and Touch ID would unlock both? Interesting ...
no support for auto-unlock with an iPhone? weird Are there any other security policies involved? Since the Watch can be authenticated with a PIN, that means it would become the weakest security link to get into a Mac. For most people it wouldn’t be of much concerned, but it todays world a PIN is not a good security policy
A PIN is more secure than a fingerprint, since one can be legally compelled to provide ones fingerprint to unlock a device (regardless of what is the reason for the security concern).
2b) Do you wear your Watch while sleeping or have an unusual battery issue that prevents you from wearing it during your waking hours?
Yeah, I wear ithe Watch at night hence I charge it at work, but I mostly blame that on my wild outdoor cat. She starts pounding on my bedroom window at like 2:00 AM trying to wake me up. I refuse to get up earlier than 4:30 so I check my watch. Fortunately, the wife uses earplugs while sleeping or I'd probably be divorced. She swears I love that cat more than I love her, although I know she loves the cat too, just she doesn't admit it.
There's no real value in requiring a computer to lock when the Watch is out of range. In fact, it would probably be more trouble than it's worth, so no ROI to make it a feature.
Requiring the Watch to be in very close proximity to a computer to unlock it makes sense. Trying to have the computer auto lock when the user steps away is problematic. Defining that distance and having it work reliably, every time, wouldn't be easy. Given that one can lock their desktop or laptop very easily and quickly before even getting out of their chair, it just doesn't make sense functionally or economically to require an auto-lock scenario.
Apple demoed this on a MacBook with flash storage, not a spinning platter drive. I don't know that auto lock/unlock would be that seamless with a platter drive.
Wow, how did we ever function without iris scans, fingerprint readers, and genome sniffers in our weasily day-to-day 9-to-5? Apple isn't selling this to the NSA. This is a convenience for the 90% of regular people, most of whom probably, at this point in time, don't password protect access to their computer in the first place. This might actually induce them to increase their security.
I hope that, by the time Sierra is released, this will be extended to the iPhone as well, rather than used as a ploy to sell the Apple Watch. It would be perfectly easy to do the same thing with an iPhone, which most Mac owners have (there are so many more iPhones out there than Macs that I'd assume the Mac/Android combination is somewhat rare (or owning a relatively expensive recent Mac but no smartphone at all)). Of course, you can still unlock your Mac the old way if you prefer Android or don't have a smartphone - but MANY more people could use auto-unlock if it worked with the iPhone.
Doesn't it seem implausible to you that, if someone does not want an Apple Watch, they are not going to rush out and get one simply because it can unlock their Mac now?
This is just another step in convenience if you are already invested in an Apple Watch. It's not like you cannot unlock the Mac if you don't have a Watch.
Another thing you need to keep in mind is that WWDC is just one half of the equation. There will be some more announcements when the new Macs and iPhones are announced.
can bluetooth detect distance, or is it a case of ON/OFF within range? Bit concerned that with bluetooth's range, you could be in the next room yet someone is able to unlock and use your mac. Similar to keyless-entry cars that remain unlocked if you, for example, park next to a cafe and sit adjacent the car but inside the building - front row seat to someone stealing stuff from inside the car.
There's no real value in requiring a computer to lock when the Watch is out of range. ... Wow, how did we ever function without iris scans, fingerprint readers, and genome sniffers in our weasily day-to-day 9-to-5? Apple isn't selling this to the NSA.
Actually, they probably are. But the customer refused to be a reference. /s
instant... HIPAA Violation. This feature needs to be disabled by a MDM agent if used in a corporate environment. Hopefully Apple will add this to the feature list of MDM agents (like AirWatch) that can disable this. Now we just need Apple to comply to allow all iCloud services to be banned from users using it. iCloud is NOT EPHI or HIPAA compliant.
Comments
If they were going to rely on new hardware, why not go for NFC?
I suspect the unlock feature for the mac would use the same encrypted tokenized method that unlocking the watch from the phone using Touch ID uses. It is not simply detecting the presence of a BT MAC ID. Sniffing will never let you know which token will unlock the computer. There are numerous and far easier ways to capture passwords from a keyboard. In fact, if BT sniffing was actually possible it would be better to just sniff bluetooth keyboards and key log everything someone typed.
Range is most likely going to be determined by signal strength. If the setting is allowed at all, it will be something you will have to adjust for your environment. My guess is Apple will make it so it reliably works well just a few feet away if they don't allow it to be user configurable.
I have worked with many government agencies and have specifically worked with CAC integration. The gov has no issues using Macs. Apple has rarely implemented a security protocol or method that they objected to that could not be disabled in favor of their own. Apple's support of industry standard directory services (and even active directory) over the last 10+ years has done more positive to place Macs in the gov than any user interface gimmick has done to sideline them. The places where Apple still struggles to gain acceptance is where the agencies are still heavily invested in legacy windows (and even DOS based) software. Even Microsoft and PC makers are now having a hard time fulfilling these needs. The NSA (et. al) doesn't deeply scrutinize and vet the vast majority of products or the vendors the various government agencies procure from. Only a very tiny fraction of installations require that kind of scrutiny. Even a big chunk of the IT tech on military installations is on par with whatever you can buy at your local Staples. Most agencies are free to buy whatever their budgets allow and their IT departments prefer. Politics plays more role in these decisions than any technical aspect.
Let's say it auto locks after 2 minutes away from the keyboard (which I think is far too long) even having your wrist off to one side or working between both parts of an L-shaped desk seems problematic. Maybe the next gen NFC could resolve that, but I think BT has more than enough features to make it by-far the most ideal option.
Also I've always been curious, how does the apple watch verify your identity without touchID?
I'm not sure what Apple's approach will be, but If I were to do it, I would make unlocking a close range authenticated connection. And locking to be a longer range (unauthenticated) detection of bluetooth presence. So if your watch was on you desk or charging your computer would remain unlocked until you physically moved it out of range. But to unlock the Mac it will need to be on your wrist and authenticated. So if someone stole you watch from your desk, the Mac would lock and them bringing it back would not unlock it.
2a) If you take your Watch off while using your Mac, that's fine, you'll just do what you currently do know to lock and unlock your Mac. If you use it to unlock your Mac and then take it off to charge, I can see it locking again thereby requiring you to a manual authentication via your password.
2b) Do you wear your Watch while sleeping or have an unusual battery issue that prevents you from wearing it during your waking hours?
I'm not talking about logging out. I'm talking locking. The only reason I even use a screensaver is because I can pair it with a Hot Corner and set it to lock when enabled. Who logs in and out every time they step away from their machine? Hell, I rarely even ever restart my Mac.
Sure there is. To have a secure workstation you need to have it locked when its unattended. In an office building, especially with cubicles, or if you're using the bathroom at a coffee house, you should always have your 'PC" locked when not in front of it. For most of us, this is a long-established habit; for others, it's something they can't seem to remember.
Even with a new and improved Power Nap and BT 5 I doubt this could work without your machine being awake.
I also wonder how it would work with the iPhone? Remember the rumor that said Touch ID might be used to unlock the Mac? Well we know they are connected via Pay, but upon reflection ... how would you unlock it? I guess if you walked away with the phone and came back, the proximity would wake the Mac and ask for your Touch ID, which if in your pocket would require fishing it out, so why not just enter the password on the keyboard? If laying on the desk, you'd have to wake the Mac? Or maybe wake the phone which also wakes the Mac, and Touch ID would unlock both? Interesting ...
Doesn't it seem implausible to you that, if someone does not want an Apple Watch, they are not going to rush out and get one simply because it can unlock their Mac now?
This is just another step in convenience if you are already invested in an Apple Watch. It's not like you cannot unlock the Mac if you don't have a Watch.
Another thing you need to keep in mind is that WWDC is just one half of the equation. There will be some more announcements when the new Macs and iPhones are announced.