One of the things I was really looking forward to with macOS Sierra and watchOS 3 was the ability to unlock my Mac with my Apple Watch. I know it’s a small thing but typing that silly password 20 times a day gets on my nerves. I’m not as crazy as George from Tulsa thinks I am, as I didn’t upgrade my podcasting Mac, but I did upgrade my MacBook to Sierra and I upgraded my Watch right away to watchOS 3, so I really wanted to test this feature out.
It turned out to be quite a bit more complicated than I expected. I’ll explain why as we go through all of the steps. If you’d rather just jump right in and do it yourself, of course I did a full tutorial so you can skip ahead:
How to Disable Apple’s Two-Step Verification and Enable Two-Factor Authentication
I figured the place to turn this feature on would be in System Preferences, Security & Privacy where you originally enable a password to unlock the Mac. I guessed right because just below that was a section that said “Allow Apple Watch to unlock your Mac” and right below that it showed my original Apple Watch (which is still paired to my account) and my new Series 2 Apple Watch. I happily clicked the checkbox to allow my Watch to open the Mac.
But I was immediately shown a screen that really confused me at first. It said, “Two-factor authentication is required to allow your Apple Watch to unlock your Mac. To turn on two-factor authentication, you must turn off two-step verification at appleid.apple.com.” Um, what?
Let’s roll back the clock a little bit to see what happened here. Some time ago Bart really pushed us to start doing two-factor authentication on important sites. In particular we talked about doing it for our Apple IDs. I remember being very proud of myself for turning it on, but some folks on Twitter corrected me, saying that I had not turned on two-factor authentication, I’d turned on two-step verification. I thought maybe they were just persnickety types who liked to nit-pick (a favorite past time on Twitter), but evidently they were on to something.
I thought maybe I’d better figure out the difference here. I found two support articles from Apple. One for Two-step Verification and one for Two-factor Authentication. I read both of these documents from start to finish, twice to be sure I understood the differences. Here’s a quote from the two-factor authentication page:
Two-factor authentication is a new service built directly into iOS, macOS, tvOS, watchOS, and Apple’s web sites. It uses different methods to trust devices and deliver verification codes, and offers a more streamlined user experience.
Two-step verification uses SMS to send 4-digit codes, where two-factor authentication uses built-in functionality of the operating systems to send 6-digit codes. Two-step verification has a couple of added security things, like a recovery key you can use if you lose your devices, but evidently that’s not a critical piece of the puzzle since it’s not included with two-factor authentication. SMS is less secure than the service integrated into iOS 9 and above, which is the main reason two-factor authentication is more secure.
Armed with this understanding of how two-factor authentication is better, I embarked on the adventure to switch to the new and improved method. I followed the instructions and went to appleid.apple.com. Scrolling down to the Security section I found an Edit button on the far right side.
The next page had a section for two-step verification with an option to turn it off. Wow, that was easy. Well, not so much. I got a pop-up asking me if I was sure. Once I confirmed, I was faced with a page of new security questions I had to enable. Evidently at this point they’re assuming that I won’t have two-step verification or two-factor authentication, so at least some security questions are better than nothing. I presume these questions will be unimportant after enabling two-factor authentication, but we still have to answer them. Because I’ve been listening to Bart over the years, I made up really crazy answers to each question and dutifully entered my fake answers into 1Password.
Now can I turn on two-factor authentication? Nope. Please confirm your birthday. Um…ok. Now confirm your rescue email. That gave me the confirmation that two-step verification is turned off.
Now it was time for a trip back to System Preferences, but oddly not into Security and Privacy. This time we have to go to the Security tab from within the iCloud preferences. On that tab there’s a button to set up two-factor authentication. Ok, done. Wait, are you sure you want to set up two-factor authentication? YES I’m sure.
Next it suggested maybe I don’t want to do that. It warned me that some of my devices are not ready for two-factor authentication. Two-factor authentication only came into being in iOS 9, but all of my devices are on iOS 10. The only thing I can figure is that it’s keeping track of every device I’ve ever owned and doesn’t know that many of those are no longer mine. I guess I should figure out how to go in and clean that up some time. I’ll get to it right after I clean up how many Kindle’s Amazon thinks I still own. I hit the two-factor authentication button that said Turn On Anyway.
Ok, is it done? Nope. I got a popup on screen asking to enter a 6-digit verification code. Wait a minute … weren’t we just done getting rid of two-step verification? it took me a minute to figure out where the code was. The code was sent to the Trusted Phone Number listed back on the Security section of applied.apple.com. Ok, got it.
Next hoop to jump through was a pop-up on the Mac that said iCloud Preferences wants to make changes to your account. Type your password to allow this. I stared blankly for a while trying to figure out what password it wanted now, and then realized it was the password to my user account on the Mac.
You would think we’ve entered enough codes by now but you’d be wrong. The next pop-up said “Your iCloud data is protected by your iCloud Security code.” I have no memory of ever having set up a four-digit code for iCloud, and I hadn’t saved one in 1Password. There’s a “Forgot Code?” button. That pops up a window that gives you the option to “Use Other Device”, but I never got delivered any codes on any of my devices or emails with instructions on how to reset it. I tried a couple of the usual suspects and got lucky. I can only hope you know your four-digit code for iCloud.
You would think we’re done by now but you’d be mistaken. Next up are instructions to finish setting up two-factor authentication on your iPhone. My iPhone was happily waiting with a window that said, “Enter Passcode”. It said this would be used to confirm my identity when signing in to iCloud on a new device. Ok … what the heck passcode does it want now??? I thought and thought and finally figured out they mean the passcode to unlock the phone itself! They really could have been more clear about this, especially since I don’t use a passcode, I use a password.
And guess what happens next? The iPhone asks you for the password you use on your Mac. Seriously. I had FINALLY completed the steps to turn off two-step verification and turn on two-factor authentication, and trusted one device. The good news is that trusting future devices is simply a matter of entering a six-digit code, once. And again for each new browser.
Finally, and yes I mean finally, you can go back to System Preferences, Security & Privacy, General tab and allow Apple Watch to unlock your Mac. Except it didn’t work. I thought maybe I needed to reboot the Mac, and that did get it to work.
My initial reaction to all of this was that it darn well better be awesome to have my watch unlock my Mac because that was a lot of steps (18 to be exact). Probably the only thing I don’t like about it is that I get a notification on my watch each time I use it to unlock my Mac. I can’t think why that has to happen and I wish I could make it stop but I’m getting used to it.
The good news is that it’s absolutely glorious to open up my MacBook and have it unlock as if by magic.
4 thoughts on “Enabling Two-Factor Authentication to Allow Apple Watch to Unlock Your Mac”
A point on the paragraph after the quote. Two step verification does not have to use SMS. I’ve been using it with built-in support from iOS since March 2013 (iOS 6). It is only a 4 digit code but I can make that code appear on my iPhone, my iPad or my Mac. E.g. when I log into iCloud.com at work, it pops up a list asking me to choose one of those devices. I always choose my phone because that’s what I always have on me. I have a fourth choice, which is SMS and this can be useful in those situations where you may not have a data connection on your phone, but you do have basic cellular service.
This is why I’m wondering how two factor authentication is “more convenient” when it sounds like the prompt for verification is *always* going to appear on *all* of my trusted devices. Cue that familiar argument about multi-user iPads – my iPad is quite likely to be in use in the middle of a game at home when I’m trying to log in to the website at work.
You must be using Find my iPhone then? Quote from Apple article linked above:
“When you set up two-step verification, you register one or more trusted devices. A trusted device is a device you control that can receive 4-digit verification codes using either SMS or Find My iPhone. You’re required to provide at least one SMS capable phone number.”
I am using Find My iPhone (have done since its introduction) but I had no idea this was tied to the 2 step verification.
I like the idea of using your watch. Provided you are the type to wear your watch wherever you go this should work out quite well for you (personally I find wearing watches a bit uncomfortable so I guess it might not work out so well for me).