Apple Shares Hidden Details on Mask-Aware Face ID, Touch ID, and More in Updated Platform Security Guide

iPhone Apple Watch Mask Unlock Credit: Steve Heap / Shutterstock
Text Size
- +

Toggle Dark Mode

If you’re an Apple Watch user, you’ve probably already at least tried out the new mask-aware Face ID feature introduced in iOS 14.5 and watchOS 7.4, which allows you to bypass normal Face ID requirements when wearing a mask and rely on your paired Apple Watch to unlock your iPhone instead.

It’s a clever solution to what has become a much more common problem in the midst of the global health pandemic, and while for the most part, it just works, Apple has now provided a bit more info on how the technology works under the hood — and some of the surrounding rules.

Every so often, Apple updates its Platform Security Guide providing a more in-depth look at many of the latest security features that underpin its hardware devices and the software operating systems that run on them, and this time around there are some interesting tidbits on the Apple Watch Auto Unlock features, the new standalone Touch ID Magic Keyboard, and more.

iPhone Auto Unlock with Apple Watch

The feature that involves using Face ID while wearing a mask is actually described by Apple as “iPhone Auto Unlock with Apple Watch,” and the Platform Security Guide confirms much of what we already know while adding a few other details on the security policies.

The Apple Watch unlocking can’t be used in place of Face ID on iPhone for any operations other than unlocking. For example, it doesn’t work with Apple Pay or app authorizations. This is by design.

The Apple Watch will always display a notification with an associated haptic whenever the Auto Unlock feature is engaged. If the user taps “Lock iPhone” in the notification, the lock command is sent over Bluetooth LE and disables Face ID entirely such that the iPhone can only be unlocked by entering the actual passcode.

More notably, the following criteria must be met for an Apple Watch to automatically unlock an iPhone:

  1. The iPhone has to have been unlocked at least once using another method after the Apple Watch has been placed on your wrist and unlocked. In other words, you’ll need to either use normal Face ID or enter your passcode after putting your Apple Watch back on.
  2. The TrueDepth camera must detect that both the nose and mouth are covered.
  3. The distance between the Apple Watch and the iPhone must be less than 3 meters.
  4. The Apple Watch must not be in bedtime mode.
  5. The Apple Watch must have experienced physical motion indicating that the wearer is active. This is presumably an extra security precaution for users who don’t use Apple’s sleep tracking features.
  6. The iPhone must have been unlocked at least once in the past 6.5 hours.
  7. Auto Unlock with Apple Watch will only work when Face ID is otherwise available on the iPhone. If Face ID has already failed, for example, if the iPhone has just been restarted, or if you’re in any other situation where a passcode is required instead of Face ID, then the Apple Watch can’t be used to unlock the iPhone either.

Apple’s Platform Security Guide also explains how Bluetooth LE and Wi-Fi are both used to securely approximate the distance between the Apple Watch and the target device — not just an iPhone but also when unlocking a Mac using your Apple Watch — in addition to how secure keys are exchanged between the devices for validation. It’s not simply a matter of your MacBook or iPhone recognizing your Apple Watch — there’s actually some pretty sophisticated cryptography involved to make sure a hacker can’t break into your devices by spoofing your Apple Watch configuration. The same also works in reverse for unlocking the Apple Watch using an iPhone.

Magic Keyboard with Touch ID

When Apple unveiled its new M1 iMac last month, it had one more surprise in store — for the first time, an external Magic Keyboard would feature a Touch ID sensor.

Even though Apple debuted Touch ID on the MacBook Pro back in 2016, the sensor remained limited to Apple’s MacBooks for years, even after the related T2 security chip came to the Mac mini in 2018. Presumably, part of the reason was that it was much easier to create a secure Touch ID sensor when everything was physically connected than try to deal with sending fingerprint data over a wireless Bluetooth connection.

However, it seems that Apple solved this problem with the new iMac, and in fact it may even have been as a result of its engineering efforts in designing the M1 chip.

Unfortunately, the new Touch ID Magic Keyboard is only available with the M1 iMac right now, but Apple’s Platform Security Guide offers a ray of hope that it may soon be sold separately for the sake of M1 MacBook users who prefer an external monitor, closed-lid workstation at their desks.

According to the guide, the Magic Keyboard with Touch ID is compatible with the built-in Touch ID sensors found on Apple’s MacBook, since the standalone keyboard only provides the biometric sensor component — it still relies on a Mac-based Secure Enclave to handle the actual processing of the biometric data, and enforcement of security policies.

The Magic Keyboard with Touch ID and built-in Touch ID sensors are compatible. If a finger that was enrolled on a built-in Mac Touch ID sensor is presented on a Magic Keyboard with Touch ID, the Secure Enclave in the Mac successfully processes the match—and vice versa.

While it’s unclear right now if the current M1 MacBook Pro and MacBook Air models support the necessary pairing process, Apple’s guide does indicate that a Mac can maintain secure pairing with up to five different external Touch ID keyboards at a time — although the keyboard itself can only be paired with a single Mac.

However, since even the new M1 Mac mini would likely be able to benefit from the Magic Keyboard with Touch ID, it seems likely that Apple will begin selling the keyboard on its own at some point in the future. At this point it may simply be a matter of making sure that it has enough keyboards to go along with all the new iMacs that are expected to begin arriving in stores later this month.

New Express Cards

Two years ago, Apple introduced a new Apple Pay feature known as Express Transit, allowing for payment cards to be quickly pulled up on an iPhone or Apple Watch when passing authorized fare terminals in public transit stations.

However, Express Transit also included one other important and handy feature: The ability to pull up a payment card even when the iPhone battery was otherwise dead, ensuring that you’d never be stuck without transit fare.

For obvious reasons, Apple used the same technology when it debuted Car Key last year, allowing users to ensure that their virtual car keys were still accessible on a dead iPhone.

Now it looks like Apple has quietly extended these capabilities to two other forms of Apple Wallet cards: Student ID cards and Resort Passes.

The guide notes that these cards need to have “Express Mode” enabled to be available when the battery is otherwise dead, but if so, you’ll be able to see them come up when pressing the side button (or the home button on a 2020 iPhone SE) alongside the low-battery icon. Transactions are still handled by the NFC controller except they’re confirmed only with a haptic notification.

Presumably, the cards have been added for the same reason as car keys. Virtual Apple Wallet student ID cards have been introduced at several colleges and universities in recent years, and in many cases are used as access passes to unlock dormitories and other campus facilities. Resort passes would also serve a similar function, and naturally Apple wants to make sure you’re not locked out of your room just because you’ve come home with a dead battery after a long day out.

Social Sharing