Wearable security: Two-factor authentication apps for Apple Watch

The Apple Watch could become our central hub in a wheel of identity, in which all spokes rotate around our wrist. Some early Watch apps already have a high degree of utility. But we're only scratching the surface of what's to come.

In this roundup, we look at six apps that offer varying forms of authentication on the Watch. Three allow a tap on the Watch to unlock something: an account, a login, a computer, or more. The other three handle the most common form of app-generated second-factor authentication codes.

Speak, Friend, and enter

As a highly personal device, the Watch should let you chain its security with that of your phone: the default configuration locks a Watch when it's removed from your wrist, and unlocks it when your phone is unlocked. To use these apps, you'll always have to have your phone with you, and you'll have to unlock one or both devices to use them.

That combination means that a tap on a Watch can be as secure as enter a passcode or using Touch ID by inference. I wouldn't gamble nuclear security on it, but for unlocking the right set of resources, it's a powerful but reasonable shortcut.


Knock ($5) is a very simple app with a very simple purpose that it accomplishes admirably on a phone and on the Watch. The iOS app pairs with an OS X app. Once installed and set up, you can unlock your Mac by knocking twice on your phone when you're nearby. Good enough.

With the Watch app for Knock, whenever you jiggle the mouse, swipe the trackpad, or tap a key to wake the login screen, a notification appears on your Watch as well as in iOS. Tap Unlock, and, voilà, your Mac is available. The current version only pairs with one Mac, and it's more parlor trick than absolutely useful. But after installing it, I find myself using it every single morning to unlock my desktop computer rather than type in a password.


oneID (free) takes a little getting used to, because although it seems to have much in common with software like 1Password (see below) and LastPass, it's instead a web-site login capture system. As with many newer apps, it has a strong, single focus. After installing the OS X app, whenever you log into a website in Chrome and Firefox (Safari should be coming), oneID captures the login information.

You can configure through a web dashboard or via an iOS app whether replaying that login on a subsequent visit requires approval from a phone or with a PIN. If you check Require Phone, then the next time you visit a site for a login that's been captured in oneID, a phone overlay will appear in the upper right of the browser, and your phone and Watch will receive a notification. You can then tap Confirm (or Reject or Dismiss).

(oneID is free, but the company behind it makes its money from integrating this easy login approach for nonprofits and political groups for easy repeat donations. But there are no strings to use the ecosystem on its own.)

Duo Security

This is a bit on the enterprise and extra-geeky side, but it's a good example of how the Watch will fit in as part of corporate security. Duo Security makes software that integrates with all kinds of back-end systems from straightforward Unix shells to VPN connections to Web apps and much more. I use Duo Security's basic free service to secure a Linux virtual private server (VPS), for instance.

When you connect to an app or service protected by Duo Security for which you're an authorized user, the company's system can send one of several kinds of alerts or, in some cases, you can choose which one. When I connect via SFTP to my Linux box, I can only use the iOS app; via an SSH login, I can choose app-based authentication, an SMS code, or a phone call that speaks a code to me.

The Watch integration for Duo Security gives you a simple Approve and Deny notification along with the name of the service and the account. Tap, and you're done. I no longer use the iPhone app; I favor the Watch notification.

Shred after Reading

The geekily named time-based one-time passwords (TOTPs) were made popular by Google's Authenticator app. They're broadly used now instead of, or as an alternative to, a code sent via SMS or through a dedicated app. A TOTP is seeded with a QR code (those 2D grids of rectangles that look like noise) or an initial string of text from the website at which you're enrolling to use a second factor for logging in. An algorithm combines that seed code with the current time to create tokens that typically work for one minute.

TOTPs are used by Google web apps, Facebook, Dropbox, and many others. Apple has a separate proprietary two-step approach. (For more background detail, see my Private I column from last October.)


Authy (free on all platforms) is a robust multi-platform service for managing and syncing TOTPs. Enter or scan the seed information on one device, and it can be available on every device with which you connect. The Watch app, as an extension of the iPhone app, allows quick access to any code. Authy on the Watch shows all the tokens that are available. Tap an entry and receive the latest code along with an indicator as to remaining time.

The first time you use the Watch app, you need to open and unlock Authy on your phone. Based on conversations on Twitter, this first step is confusing, and I can't find anywhere Authy documents it. And for the small number of sites that use Authy exclusively for a second factor, like Coinbase, you'll also be asked to authenticate at the phone the first time for each of them you try to obtain a token on the Watch. This is also not documented.

Authy recently announced OneTouch, which will provide a single-tap Watch or mobile device login like Duo Security's but available for integration into websites and apps.


AgileBits'1Password (free on iOS) is best known as a password storehouse and generator, as well as keeping track and autofilling credit-card and other information. Its integration into iOS 8 using an extension started good and got better, and many apps now integrate in iOS to pull 1Password-stored logins directly.

But 1Password added support for one-time passwords in iOS in January and in OS X in April as a second step in verifying identity. The 1Password Watch app can display entries that are set in the iOS version by tapping Add to Apple Watch. (The addition is made via a tag, so you can manually add "Apple Watch" as a tag in the OS X release for the same effect.)

For any entry that has both a password and a TOTP, 1Password cleverly shows just the one-time code on the Watch.

The $10 Pro in-app purchase is necessary for Watch features. The OS X app costs $50 for a single-user license.


Lockdown ($4) is another entrant in this category, but has a few unique aspects. First, it lets you preserve the seed codes for a TOTPs. There are risks associated with that, but given that few apps and ecosystems let you recover those original codes without resetting your entire two-step or two-factor login at a site or through a service, it's worth considering. (In testing these apps, I wish I'd had such copies!)

Second, it can speak codes aloud from the phone, which is extremely useful. It's almost always perfectly safe to have a code shared (see the screen captures in this article) or spoken aloud because they are only good during a very brief window of time and still require the other account credentials to use. I hope to see this feature come to the Watch when developers are able to access the Watch's features fully later this year.

Favorite an item in iOS and it appears in the list on the Watch. The app is currently available only for iOS, but a Mac version is coming this month.

Join the CSO newsletter!

Error: Please check your email address.

Tags Apple Watch apps2FA1PasswordsecuritypasswordsthreeKnoApple watchsecurity softwareApple

More about AppleDropboxFacebookGoogleLinuxQRSSHTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts