passwords

How to Unlock Your Mac with a Wave of Your Hand

Okay, with a wave of your Apple Watch. It’s magic. You walk up to your Mac, touch a key to wake it up, and upon noticing that you’re wearing your Apple Watch, it unlocks without making you enter a password. Brilliant! For some of us, it’s pretty much reason enough to get an Apple Watch.

Auto Unlock, as Apple calls this feature, lets you protect your Mac with a strong password—recommended for international spies and teenagers alike—without forcing you to type your password repeatedly. (You will have to type it the first time after you turn on, restart, or log out of your Mac.) 

To enable this protection and keep people out of your Mac when you’re away, go to System Preferences > Security & Privacy > General and select “Require password after sleep or screen saver begins.” Since your Apple Watch will be doing all the heavy lifting, feel free to set a short time span. Then select “Allow your Apple Watch to unlock your Mac.” If the stars are smiling on you, that’s all you’ll need to do.

 
 

However, it’s likely that something won’t be quite right for Auto Unlock to function properly, since it has a bunch of requirements.

First, make sure your hardware is new enough and sufficiently up-to-date. Your Mac must be from mid-2013 or later, and it must be running macOS 10.12 Sierra or later. (If you aren’t sure about your Mac, see if that checkbox labeled “Allow your Apple Watch to unlock your Mac” is present. If not, your Mac is too old.) Any model of Apple Watch will work, but it needs to be using at least watchOS 3.

Next, you need to turn on two-factor authentication. If you were using Apple’s previous two-step verification, you must switch to two-factor authentication. It adds an extra layer of security to your Apple devices and accounts, including iCloud, and is well worth doing in this day and age of password thefts. Plus, it ensures you don’t have to remember those security questions about your favorite elementary school teacher! The links earlier in this paragraph have more details, but you enable two-factor authentication in System Preferences > iCloud > Account Details > Security.

Now for the checklist. For Auto Unlock to work:

  • Your Mac must have Bluetooth turned on. Click the Bluetooth icon in the menu bar or look in System Preferences > Bluetooth.
  • Your Mac must have Wi-Fi turned on, even if you’re using Ethernet. Click the Wi-Fi icon in the menu bar and choose Turn Wi-Fi On if necessary.
 
  • Your Mac and your Apple Watch must be signed in to iCloud using the same Apple ID. Verify that in System Preferences > iCloud on the Mac, and on your iPhone in the Apple Watch app, in General > Apple ID.
  • Your Apple Watch must have a passcode enabled. On your iPhone, in the Apple Watch app, tap Passcode and then Turn Passcode On. So you don’t have to enter your passcode, enable Unlock with iPhone.
 
 
  • Your Mac must not be using Internet Sharing. Verify that in System Preferences > Sharing.
 
 

It’s a lot to check, we know, but you only have to do it once. After that, go back to System Preferences > Security & Privacy > General and select “Allow your Apple Watch to unlock your Mac.” It may prompt for your password, and there you have it.

After that, every time you wake your Mac or stop the screensaver, it will unlock automatically with your Apple Watch. If you’re not wearing the Apple Watch, or if your watch is locked (hence our recommendation of Unlock with iPhone), you can still type your password at the Mac’s login screen.

There is one small gotcha. Every time you install a macOS update, Apple disables that checkbox, presumably for some security reason. Just go back into the Security & Privacy preference pane and turn it back on. Happily, that’s nothing for the win of not having to unlock your Mac with your password multiple times per day.

What's the Deal with Two-Step Verification?

It seems that we can’t go a week without hearing about some new security breach involving tens of thousands or even millions of passwords. That’s why it’s essential that you use strong passwords of random characters (and manage them in a full-featured password manager like 1Password or LastPass or, for a more basic approach, iCloud Keychain). But many major Internet companies like Apple, Google, Facebook, and Dropbox offer an option for a higher level of security, called two-step verification.

With a normal account, a bad guy has to get only one thing—your password—to break in. With an account that’s protected by two-step verification, however, breaking in becomes far more difficult. That’s because logging in requires both your normal password and a time-limited one-time password that is generated by a special authentication app or sent to you in an SMS text message or via email. What’s important about these secondary passwords is that they’re valid only for a short time and they can be used only once. You have to enter these secondary passwords only the first time that you log in on a particular device or in a particular Web browser, so they are just an occasional extra step, not a daily inconvenience.

Sites that offer two-step verification will provide setup and usage instructions, but the basics are as follows. You’ll enable two-step verification in the account settings, and then tell the site how you’ll get the one-time password when you want to log in, generally providing your phone number or email address. For services that use an authentication app like Google Authenticator, Authy, or 1Password, you’ll have to scan a QR code on screen or enter a secret key—either way, that seeds the app with a value that enables it to generate a valid one-time password every 30 seconds. Make sure to record any backup codes the site provides; they’re essential if you lose access to your phone or your email.

When it comes time to log in to a service protected by two-step verification, you’ll enter your username and password as you normally would. Then, you’ll be prompted for a one-time password, and the service will either send you one via SMS or email, or require you to look it up in your authenticator app. Since a bad guy who might have obtained your normal password would also have to intercept your text or email messages, or have stolen your mobile phone (and be able to get past its passcode), you’re far, far safer.

Most sites that use two-step verification don’t require that you enter a one-time password on every login, since that would be overkill. It’s also unnecessary to enable two-step verification for every account you might have—there isn’t much liability to someone logging in to your New York Times account since they couldn’t do anything diabolical once in. For more-important accounts—email, social media, cloud services, banking—you absolutely should use two-step verification for added protection so a bad guy can’t impersonate you to your friends, receive email-based password resets for other sites, or access your most important data.

You may also hear the term two-factor authentication, which is even more secure than two-step verification when implemented correctly. That’s because two-factor authentication combines something you know (your password) with something you have (such as a secure token keyfob that generates time-limited one-time passwords) or something that’s true of you (biometric info like a fingerprint or iris scan). It might seem like using your iPhone to get a text message or run an authenticator app qualifies, but if you end up doing everything on a single device that could be compromised, it’s not true two-factor authentication.

Regardless of the terminology, going beyond a single password, no matter how strong, significantly increases your security, and you would be well served to employ such a security technology for your most important accounts. To learn more about why strong passwords are necessary, using password managers, and even more details behind two-step verification and two-factor authentication, check out Take Control of Your Passwords.