Apple's web of authentication

Apple uses three main authentication factors: something you know, something you have, and something you are.

Touch ID

As someone who seems to live most of his life on the Internet, I’ve always appreciated Apple’s thorough and thoughtful approach to security. The company realizes that we keep all sorts of important stuff in our devices, from our credit card numbers to our super-secret, handed-down-through-seventeen-generations French toast recipes. Hardly the kind of stuff we want plastered all over the world.

Like every other technology company, Apple has to weigh the fundamental tradeoff between security and convenience. In general, the higher the level of security, the less convenient it is—no surprise there, since making something more difficult for someone else to break into generally means making it more difficult for you, too.

Apple’s security measures are pretty comprehensive, and they’re only getting better. With the latest additions to Apple’s lineup this fall, the company is getting one step closer to creating an interconnected web of authentication that should hopefully make your device security better and more transparent. 

The X factors

When it comes to security, the safest options rely on a multi-factor authentication approach. That is, you ideally want to be able to prove your identity using not just one piece of information, but several different pieces. Traditionally, there are three types of factors: something you know (such as a password), something you have (such as a key), and something you are (biometrics). 

Apple has now implemented authentication via all these factors: passwords and passcodes, your mobile phone and Apple Watch, and Touch ID. In general, when you try to take an action that requires authentication, Apple asks for at least one if not more of these factors. For example, the company’s two-step verification (and now its two-factor authentication) sends a code to an iOS device or a Mac when you try to log into your iCloud account or make an iTunes purchase from a new device. So, not only do you have to know the password to that account, but you also need to be able to prove that you have the device in question.

With Apple’s new two-factor authentication, that’s even further improved, since all your other devices will be alerted, letting you know if someone else is attempting an unauthorized login.

My voice is my passport 

Once the thing of science fiction, biometric authentication has become pedestrian. Logging in to your phone with your fingerprint certainly makes it more convenient, especially when you do it so many times a day, and it allows you to, for example, create a far longer passcode since you hopefully won’t have to enter it as frequently.

Biometric security comes with its own risks, however. Unlike a password or passcode that can be stored in your memory alone, biometrics relies on something that’s easily accessible. You leave fingerprints everywhere, for example, and face-based biometrics can in some cases be circumvented via video. And once compromised, that form of security basically can’t be used again: you can change your password if your account is hacked, but you can’t really change your fingerprints. 

macos sierra apple pay stock Apple

Some precautions can be taken to make that harder. For example, when Apple stores your fingerprint for Touch ID, it’s not actually scanning your fingerprint but storing a series of mathematical measurements and information about it. If that digital information—which is stored in the isolated secure enclave on an iOS device’s processor—is somehow compromised, it would be hard to turn that into something that could be used to create a fake fingerprint. Harder, anyway, than lifting an actual fingerprint from somewhere in your house and creating a fake fingerprint using that. Either way, it does require some degree of dedication.

Rumor has it that Apple is investing further in biometrics, possibly including an iris scanner in a future version of the iPhone. If true, presumably it would use much the same methodology as Touch ID.

Wear your authentication on your sleeve 

Apple announced one additional authentication feature debuting this fall. Using watchOS 3, iOS 10, and macOS Sierra, you’ll be able to unlock your Mac without entering your password when you’re wearing your Apple Watch.

This is an interesting and somewhat complex web of authentication, which essentially works like this: when you unlock your Apple Watch, you need to enter your passcode on it or on your iPhone. However, the Watch knows when it’s being worn, and can automatically lock when it’s removed from the wearer’s wrist. (There is a workaround, but it’s a little tricky.) As long as you’re wearing your Watch, it’s considered to be an authenticated token, in the same way that you can use it for Apple Pay as long as it’s been unlocked. 

That could open up opportunities for the Watch to be used as an authenticated token in other places, too. Who knows? Maybe someday your Apple Watch will be the key fob for your Apple Car, letting you open the door and start the engine without having to take any actions. Maybe HomeKit-enabled smart door locks will use the Watch to authenticate you to your house. Perhaps you might even be able to watch content you own on a friend’s Apple TV if it detects your Apple Watch in the vicinity. 

I have no doubt that seamless security and authentication will continue to be major features that Apple pushes as it continues to improve its existing products and roll out new ones. After all, the company not only likes to boast of the things only its integration between hardware, software, and services can accomplish, but also about its stance on privacy and security. Why not take the opportunity to improve both?

Subscribe to the Best of Macworld Newsletter