There’s an old belief that you can’t have both security and convenience, and that’s seen as especially true in your digital life. I’m sure Apple would dispute that assertion, pointing to things like Face ID as evidence it can do both.
Yet, as we’ve seen in recent months, there are actually times when Apple’s ecosystem, so tightly linked across its platforms, can actually undermine its own security. If your dwelling only has one locked door, it only takes one key to have access to the whole house.
Face ID, the iPhone, and the Apple Watch
Face ID is the best example of the security catch-22 a company like Apple can end up in. By itself, it’s superb, far outstripping anything Apple’s Android rivals can come up with, at least when it comes to facial recognition. It is fast, easy to learn, available on many of your devices, and yes, both secure and convenient. It’s exactly what you imagine when you think of Apple innovation.
Under normal circumstances, it works great. But I don’t think anyone can claim the last 18 months qualify as “normal circumstances,” and for all the disruption the pandemic has caused, it has also exposed the weak point of Apple’s tightly bound ecosystem.
That’s seen in Face ID’s tie-in with the iPhone’s Unlock with Apple Watch feature. If you have an unlocked Apple Watch on your wrist, you can use it to open up your iPhone when Face ID doesn’t recognize you. It’s specifically designed for times when wearing a mask obscures your visage such that Face ID cannot identify you properly. It’s a slice of convenience for a pandemic world.
It’s a slice of convenience for a pandemic world.
The problem is that it seems incredibly forgiving. I have both an Apple Watch and an iPhone, so I end up using Unlock with Apple Watch on an almost daily basis. And nearly every day, there will be at least one time when my Apple Watch unlocks my iPhone when I haven’t even looked at it. It’s not like my face was obscured by a mask — I’m often facing another direction entirely. Face ID on my iPhone is set to “require attention” — in other words, I have to look at my iPhone to unlock it. Yet Unlock with Apple Watch apparently completely bypasses that requirement.
And with one weakness in the system, the whole ecosystem is at risk.
Sidestepping Face ID
What’s worse is that this feature simply requires an unlocked Apple Watch to work — and unlocking an Apple Watch is child’s play. Instead of the complex security layers of Face ID or Touch ID, all that’s required to get into an Apple Watch is a simple four-digit passcode. Given how many of us use memorable, identifiable dates and numbers for this kind of lock-up mechanism, prying open an Apple Watch is beyond easy.
And that’s a problem because of how permissive Unlock with Apple Watch is at unbolting an iPhone. Apple claims the chances of someone fooling Face ID are one in a million. But when a simple four-digit passcode is enough to get into an Apple Watch, Face ID’s apparently watertight security becomes totally irrelevant.
All that’s required to get into an Apple Watch is a simple four-digit passcode.
It’s not just your iPhone that this affects. You can do the same thing with a Mac. An unlocked Apple Watch can log you into a connected Mac provided you’ve set up Unlock with Apple Watch. Once again, all you need is a four-digit passcode for the Watch and suddenly the Mac’s contents are all yours.
The security ecosystem implications
Ultimately, this wouldn’t be happening if Apple’s ecosystem were not so tightly bound. It’s only by having devices that closely interact and communicate with each other that an Apple Watch is able to unlock an iPhone when your face is obscured. But in giving users that extra step of convenience, the company is undermining its famous security.
That’s not to say Apple can’t work out a way to have both — to let users have their cake and eat it. But right now, anyone who steals an iPhone and an Apple Watch only have a trivial obstacle to surmount to gain access to all your personal files and info. That’s far from the security-conscious Apple I thought I knew.
