Watch ID

/ 2 January 2021

Almost everyone who uses any Apple mobile device at least knows about Touch ID and/or Face ID, and likely uses them. If you have a laptop Mac, that is the same, as they come with Touch ID embedded in their power buttons. But that really isn’t the end of Apple’s biometric authentication story. For those with an Apple Watch and Mac, you also have what I’ve started calling Watch ID (though Apple hasn’t yet realized this is a good name for it). Yes, in some ways this is less true biometric authentication, as the Watch is merely kept unlocked by sensing a heartbeat, not necessarily your heartbeat. But, if you set a lengthy passcode on the Watch, and use your phone to unlock it each time you put it on, it kinda does become a convenient biometric sensor for authentication.

All Apple Watches, and all Macs that can run Big Sur, support the basic function of allowing the Watch to auto-unlock the Mac. Look for this in System Preferences > Security & Privacy > General. It was this feature that first made my Mac feel like it had something akin to Touch ID. In fact, I’ve since (this has been around for a few years) vastly improved my user account passwords to be far more complex, as I rarely need them. Indeed, for a desktop, I find that Watch ID is better than either Touch ID or Face ID are. You don’t need to place your finger on a specific key of the keyboard, nor look at a specific display (I use two displays on my Mac). All you need to do is be near the Mac, touch the trackpad or keyboard to wake it up, and wait. Fairly quickly, unless a problem occurs or it is time for your Mac to insist on you typing your password, you’ll be at your unlocked Mac ready to get to work.

Any Series 1 Watch and up has the further feature of allowing the Watch to unlock apps. The user interaction of this is identical to authorizing Apple Pay on your Watch for your Mac: Double-clicking the side button when tapped. The Watch will tap you, then double-click and you’ve authorized. But this feature is far more haphazard in regard to where it works. My experience is that it mainly works in:

  • Nearly all system admin authentication dialogs, like moving protected files in Finder, although a handful in System Preferences still require your password
  • 1Password recently gained support for this on Macs that contain a Secure Enclave

While this covers 90 plus percent of daily uses, this leaves out a number of additional areas that would be nice, namely:

  • Admin authentication dialogs in 3rd-party apps, such as BBEdit when editing protected files
  • sudo at the command-line (but, see appendix)

Grant you, even Touch ID on the Mac does not necessarily cover all these areas. But Apple definitely has not raised Watch ID to the same level even as Touch ID. I’d love to see macOS 12 bring about true Touch ID (maybe even Face ID on some models by then…) and Watch ID parity, and both having full reign over authorizing tasks on the Mac. This really would not need additional watchOS work I believe, as really it just necessitates macOS asking for and allowing this biometric authentication in more places. I believe that Watch ID is more suited for desktops than even Face ID would be, so I just hope that Apple eventually recognizes how much more convenient both having full reign would be. Please, Apple, improve the places biometric authentication of all sorts is usable in macOS.

Appendix: pam-watchid

The sudo command, and other parts of the OS, use PAM to authenticate. While Apple actually provides a PAM plugin for Touch ID (but doesn’t have it enabled anywhere yet), they do not have the equivalent for Watch ID. That is where the open source project pam-watchid can help. Clone, build, and install that, and from experience I know it works. It simply brings Apple’s own API for Watch authentication to PAM. The only complication is that a “feature” of macOS is that a number of config files get reset with every update, including those for PAM (and SSH, where I’ve previously been fighting this). So, after every update you’ll need to redo the config changes described in the installation process. But, that can be scripted to make life easier. This plugin may be functional in other areas that PAM is used, but since I’d rather not risk breaking the kind of authentication BBEdit uses (where I can reset this change if needed) I’ve decided not to explore that.