Wearable security: Two-factor authentication apps for Apple Watch

The Apple Watch could become our central hub in a wheel of identity, in which all spokes rotate around our wrist. Some early Watch apps already have a high degree of utility. But we're only scratching the surface of what's to come.

In this roundup, we look at six apps that offer varying forms of authentication on the Watch. Three allow a tap on the Watch to unlock something: an account, a login, a computer, or more. The other three handle the most common form of app-generated second-factor authentication codes.

Speak, Friend, and enter

As a highly personal device, the Watch should let you chain its security with that of your phone: the default configuration locks a Watch when it's removed from your wrist, and unlocks it when your phone is unlocked. To use these apps, you'll always have to have your phone with you, and you'll have to unlock one or both devices to use them.

That combination means that a tap on a Watch can be as secure as enter a passcode or using Touch ID by inference. I wouldn't gamble nuclear security on it, but for unlocking the right set of resources, it's a powerful but reasonable shortcut.


Knock ($5) is a very simple app with a very simple purpose that it accomplishes admirably on a phone and on the Watch. The iOS app pairs with an OS X app. Once installed and set up, you can unlock your Mac by knocking twice on your phone when you're nearby. Good enough.

With the Watch app for Knock, whenever you jiggle the mouse, swipe the trackpad, or tap a key to wake the login screen, a notification appears on your Watch as well as in iOS. Tap Unlock, and, voilĂ , your Mac is available. The current version only pairs with one Mac, and it's more parlor trick than absolutely useful. But after installing it, I find myself using it every single morning to unlock my desktop computer rather than type in a password.


oneID (free) takes a little getting used to, because although it seems to have much in common with software like 1Password (see below) and LastPass, it's instead a web-site login capture system. As with many newer apps, it has a strong, single focus. After installing the OS X app, whenever you log into a website in Chrome and Firefox (Safari should be coming), oneID captures the login information.

You can configure through a web dashboard or via an iOS app whether replaying that login on a subsequent visit requires approval from a phone or with a PIN. If you check Require Phone, then the next time you visit a site for a login that's been captured in oneID, a phone overlay will appear in the upper right of the browser, and your phone and Watch will receive a notification. You can then tap Confirm (or Reject or Dismiss).

(oneID is free, but the company behind it makes its money from integrating this easy login approach for nonprofits and political groups for easy repeat donations. But there are no strings to use the ecosystem on its own.)

Duo Security

This is a bit on the enterprise and extra-geeky side, but it's a good example of how the Watch will fit in as part of corporate security. Duo Security makes software that integrates with all kinds of back-end systems from straightforward Unix shells to VPN connections to Web apps and much more. I use Duo Security's basic free service to secure a Linux virtual private server (VPS), for instance.

When you connect to an app or service protected by Duo Security for which you're an authorized user, the company's system can send one of several kinds of alerts or, in some cases, you can choose which one. When I connect via SFTP to my Linux box, I can only use the iOS app; via an SSH login, I can choose app-based authentication, an SMS code, or a phone call that speaks a code to me.

The Watch integration for Duo Security gives you a simple Approve and Deny notification along with the name of the service and the account. Tap, and you're done. I no longer use the iPhone app; I favor the Watch notification.

Shred after Reading

The geekily named time-based one-time passwords (TOTPs) were made popular by Google's Authenticator app. They're broadly used now instead of, or as an alternative to, a code sent via SMS or through a dedicated app. A TOTP is seeded with a QR code (those 2D grids of rectangles that look like noise) or an initial string of text from the website at which you're enrolling to use a second factor for logging in. An algorithm combines that seed code with the current time to create tokens that typically work for one minute.

TOTPs are used by Google web apps, Facebook, Dropbox, and many others. Apple has a separate proprietary two-step approach. (For more background detail, see my Private I column from last October.)


Authy (free on all platforms) is a robust multi-platform service for managing and syncing TOTPs. Enter or scan the seed information on one device, and it can be available on every device with which you connect. The Watch app, as an extension of the iPhone app, allows quick access to any code. Authy on the Watch shows all the tokens that are available. Tap an entry and receive the latest code along with an indicator as to remaining time.

The first time you use the Watch app, you need to open and unlock Authy on your phone. Based on conversations on Twitter, this first step is confusing, and I can't find anywhere Authy documents it. And for the small number of sites that use Authy exclusively for a second factor, like Coinbase, you'll also be asked to authenticate at the phone the first time for each of them you try to obtain a token on the Watch. This is also not documented.

Authy recently announced OneTouch, which will provide a single-tap Watch or mobile device login like Duo Security's but available for integration into websites and apps.


AgileBits'1Password (free on iOS) is best known as a password storehouse and generator, as well as keeping track and autofilling credit-card and other information. Its integration into iOS 8 using an extension started good and got better, and many apps now integrate in iOS to pull 1Password-stored logins directly.

But 1Password added support for one-time passwords in iOS in January and in OS X in April as a second step in verifying identity. The 1Password Watch app can display entries that are set in the iOS version by tapping Add to Apple Watch. (The addition is made via a tag, so you can manually add "Apple Watch" as a tag in the OS X release for the same effect.)

For any entry that has both a password and a TOTP, 1Password cleverly shows just the one-time code on the Watch.

The $10 Pro in-app purchase is necessary for Watch features. The OS X app costs $50 for a single-user license.


Lockdown ($4) is another entrant in this category, but has a few unique aspects. First, it lets you preserve the seed codes for a TOTPs. There are risks associated with that, but given that few apps and ecosystems let you recover those original codes without resetting your entire two-step or two-factor login at a site or through a service, it's worth considering. (In testing these apps, I wish I'd had such copies!)

Second, it can speak codes aloud from the phone, which is extremely useful. It's almost always perfectly safe to have a code shared (see the screen captures in this article) or spoken aloud because they are only good during a very brief window of time and still require the other account credentials to use. I hope to see this feature come to the Watch when developers are able to access the Watch's features fully later this year.

Favorite an item in iOS and it appears in the list on the Watch. The app is currently available only for iOS, but a Mac version is coming this month.

Tags Applepasswordsthreesecurity softwareKnoApple watch2FA1PasswordApple Watch apps

Show Comments