Automatically unlock Apple devices
For greater convenience when using multiple Apple devices, some devices can automatically unlock others in certain situations. Automatic unlocking can be done with the following:
An Apple Watch can be unlocked by an iPhone.
A Mac can be unlocked by an Apple Watch.
An iPhone can be unlocked by an Apple Watch when a user is detected with their nose and mouth covered.
An iPhone can be unlocked by an Apple Vision Pro.
An iPhone can be unlocked and viewed on a Mac using iPhone Mirroring.
All use cases are built upon the same basic foundation: a mutually authenticated Station-to-Station (STS) protocol, with Long-Term Keys exchanged at time of feature enablement and unique ephemeral session keys negotiated for each request. Regardless of the underlying communication channel, the STS tunnel is negotiated directly between the Secure Enclaves in both devices, and all cryptographic material is kept within that secure domain (with the exception of Mac computers without a Secure Enclave, which terminate the STS tunnel in the kernel).
To unlock one device with another, both devices need to be signed into the same Apple Account using two-factor authentication, and the user needs to enable each specific unlocking relationship between the two devices.
Unlocking
A complete unlock sequence can be broken down in two phases.
The device being unlocked (the target) generates a cryptographic unlock secret and sends it to the device performing the unlock (the initiator).
The initiator performs the unlock using the previously generated secret.
To prepare for devices to automatically unlock, the devices connect to each other using a Bluetooth Low Energy (BLE) connection. Then a 32-byte unlock secret randomly generated by the target device is sent to the initiator over the STS tunnel. During the next biometric or passcode unlock, the target device wraps its passcode-derived key (PDK) with the unlock secret and discards the unlock secret from its memory.
To perform the unlock, the devices initiate a new BLE connection and then use peer-to-peer Wi-Fi to securely approximate the distance between each other. If the devices are within the specified range and the required security policies are met, the initiator sends its unlock secret to the target through the STS tunnel. The target then generates a new 32-byte unlock secret and returns it to the initiator. If the current unlock secret sent by the initiator successfully decrypts the unlock record, the target device is unlocked and the PDK is rewrapped with a new unlock secret. Finally, the new unlock secret and PDK are then discarded from the targetʼs memory.
Mac unlock using Apple Watch
The unlocking flow described above is used when using an Apple Watch to unlock a paired Mac, and can also be used to approve app requests—like viewing passwords or downloading an app—without having to enter a password. When Apple Watch successfully unlocks a paired iPhone, the watch displays a notification and plays an associated haptic.
Successfully unlocking a paired Mac from Apple Watch requires that all of the following criteria be met:
The Mac needs to be unlocked using another method at least once after the associated Apple Watch was placed on wrist and unlocked.
Distance measured between the Mac and Apple Watch needs to be 2–3 meters or less.
Apple Watch needs to be unlocked.
Apple Watch can’t be in bedtime mode.
iPhone unlock using Apple Watch
Additional security policies apply to iPhone unlock using Apple Watch. If the user taps the Lock iPhone button in the notification, the watch sends the iPhone a lock command over BLE. When the iPhone receives the lock command, it locks and disallows both Face ID and unlock using other devices. The next iPhone unlock needs to be performed with the iPhone passcode. Apple Watch can’t be used in place of Face ID on iPhone for other operations, such as Apple Pay or app authorizations. When Apple Watch successfully unlocks a paired iPhone, the watch displays a notification and plays an associated haptic.
Successfully unlocking a paired iPhone from Apple Watch (when enabled) requires that all of the following criteria be met:
iPhone needs to have been unlocked:
Using another method at least once after the associated Apple Watch was placed on wrist and unlocked.
At least once in the past 6.5 hours.
Apple Watch or iPhone needs to have been unlocked recently, or Apple Watch needs to have experienced physical motion indicating that the wearer is active (for example, not asleep).
Sensors need to be able to detect that the nose and mouth are covered.
Distance measured between iPhone and Apple Watch needs to be 2–3 meters or less.
Apple Watch can’t be in bedtime mode.
iPhone needs to be in a state where Face ID is allowed to perform a device unlock. (For more information, see Optic ID, Face ID, Touch ID, passcodes, and passwords.)
iPhone unlock using Apple Vision Pro
Similar security policies apply to iPhone unlock with Apple Vision Pro. The user can pair their Apple Vision Pro with an iPhone to enable automatic unlock of that iPhone by Apple Vision Pro, and for in-app authentication using Apple Vision Pro in supported iPhone apps. When Apple Vision Pro successfully unlocks a paired iPhone, the Apple Vision Pro displays a notification. If the user taps the Lock iPhone button in the notification, the Apple Vision Pro sends the iPhone a lock command over BLE. When the iPhone receives the lock command, it locks and disallows both Face ID and unlock using other devices. The next iPhone unlock needs to be performed with the iPhone passcode. Apple Vision Pro can’t be used in place of Face ID on iPhone for Apple Pay.
Successfully unlocking a paired iPhone from Apple Vision Pro (when enabled) requires that all of the following criteria be met:
iPhone needs to be unlocked using another method at least once since it booted.
Apple Vision Pro needs to be unlocked and in use.
Apple Vision Pro needs to optically detect the iPhone is within approximately one meter or less of the user, and that the user is looking at said iPhone.
Distance measured between iPhone and Apple Vision Pro needs to be approximately one meter or less.
iPhone needs to be in a state where Face ID is allowed to perform a device unlock. (For more information, see Optic ID, Face ID, Touch ID, passcodes, and passwords.)
Apple Watch unlock using iPhone
For added convenience, Apple Watch can be unlocked by an iPhone directly after initial startup, without requiring the user to enter the passcode on the Apple Watch itself. To achieve this, the random unlock secret (generated during the very first unlock sequence after enablement of the feature) is used to create a long-term escrow record, which is stored in the Apple Watch keybag. The escrow record secret is stored in the iPhone keychain and used to bootstrap a new session after each Apple Watch restart.
iPhone Mirroring security
iPhone Mirroring allows a user to use their iPhone from their nearby Mac. While being remotely used on the Mac the iPhone remains locked and users see a persistent notification on the iPhone’s Lock Screen. A banner is shown the first time the iPhone is unlocked after a session has ended.
Notification forwarding
iPhone Mirroring lets users forward notifications from their iPhone to a Mac using the same Apple Account. Users signed in to devices with the same Apple Account exchange cryptographic identities using a local peer-to-peer protocol, encrypted using keys stored in iCloud using end-to-end encryption. When the user enables iPhone Mirroring and enters their passcode on the iPhone, the current cryptographic identity for the Mac is recorded. The private key for this identity is protected in the Secure Enclave. This identity is pinned so that if it changes, notifications aren’t forwarded to the Mac. Notifications are encrypted in transit using end-to-end encryption.
Remote unlock
Remote unlock for iPhone Mirroring uses the same remote unlock protocol as iPhone unlock using Apple Watch but is initiated by the user launching the iPhone Mirroring app on their paired Mac. Secure ranging isn’t required for iPhone Mirroring.
When users set up iPhone Mirroring for the first time, they’re prompted to choose to either “Automatically authenticate,” or to “Ask every time.” The Secure Enclave on the Mac enforces this user choice and prompts the user to authenticate using their Mac password (or Touch ID if supported). After the authentication policy is completed, the Mac connects to the iPhone using a local wireless peer-to-peer connection and unlocks the iPhone keybag to enable remote access for the duration of the remote session.