Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Wearable security: Two-factor authentication apps for Apple Watch

Glenn Fleishman | June 2, 2015
Early extensions of iPhone apps for varying forms of authentication find a useful home as Watch apps.

(oneID is free, but the company behind it makes its money from integrating this easy login approach for nonprofits and political groups for easy repeat donations. But there are no strings to use the ecosystem on its own.)

Duo Security

This is a bit on the enterprise and extra-geeky side, but it's a good example of how the Watch will fit in as part of corporate security. Duo Security makes software that integrates with all kinds of back-end systems from straightforward Unix shells to VPN connections to Web apps and much more. I use Duo Security's basic free service to secure a Linux virtual private server (VPS), for instance.

When you connect to an app or service protected by Duo Security for which you're an authorized user, the company's system can send one of several kinds of alerts or, in some cases, you can choose which one. When I connect via SFTP to my Linux box, I can only use the iOS app; via an SSH login, I can choose app-based authentication, an SMS code, or a phone call that speaks a code to me.

The Watch integration for Duo Security gives you a simple Approve and Deny notification along with the name of the service and the account. Tap, and you're done. I no longer use the iPhone app; I favor the Watch notification.

Shred after Reading

The geekily named time-based one-time passwords (TOTPs) were made popular by Google's Authenticator app. They're broadly used now instead of, or as an alternative to, a code sent via SMS or through a dedicated app. A TOTP is seeded with a QR code (those 2D grids of rectangles that look like noise) or an initial string of text from the website at which you're enrolling to use a second factor for logging in. An algorithm combines that seed code with the current time to create tokens that typically work for one minute.

TOTPs are used by Google web apps, Facebook, Dropbox, and many others. Apple has a separate proprietary two-step approach. (For more background detail, see my Private I column from last October.)


Authy (free on all platforms) is a robust multi-platform service for managing and syncing TOTPs. Enter or scan the seed information on one device, and it can be available on every device with which you connect. The Watch app, as an extension of the iPhone app, allows quick access to any code. Authy on the Watch shows all the tokens that are available. Tap an entry and receive the latest code along with an indicator as to remaining time.

The first time you use the Watch app, you need to open and unlock Authy on your phone. Based on conversations on Twitter, this first step is confusing, and I can't find anywhere Authy documents it. And for the small number of sites that use Authy exclusively for a second factor, like Coinbase, you'll also be asked to authenticate at the phone the first time for each of them you try to obtain a token on the Watch. This is also not documented.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.