Apple's upcoming iOS 14.5 and WatchOS 7.4 OSes will allow masked enterprise employees to access their iPhone if they happen to be wearing an Apple Watch that is unlocked. If companies don't stop workers from using this convenience, it will materially scale back security. Credit: Michael Simon/IDG Apple plans with iOS 14.5 to allow masked enterprise employees to access their iPhones if they are also wearing an Apple Watch (running WatchOS 7.4), that is unlocked. Heads up: This is a quintessential convenience vs. security trade-off from Apple, and if you don’t insist that workers refrain from using the feature, corporate security will suffer. In short, it will be make it much easier for corporate spies and cyberthieves to snag your company’s intellectual property, which is being created, stored, and shipped within smartphones today at a far greater rate than 2019 — aka the pre-COVID-19 times. Apple has refused to let this convenience do anything other than opening the phone (which is bad enough). And it will not allow the feature to bypass facial ID authentication for the AppleCard, ApplePay or any third-party app (such as banks and investment firms) that have embraced Face ID. That tells you pretty much all you need to know about how much of a security corner-cutter this move is. Let’s drill into what Apple has done and give credit where it’s due. As a security move, it’s horrible — and that should be the main concern of enterprise IT since it endangers ultra-sensitive corporate data. That said, it’s a pretty impressive dose of convenience. First, this is absolutely pandemic-based, as the unlock process starts by scanning for the existence of someone wearing a mask. Once it determines that, it allows the phone to be unlocked if there’s an unlocked Apple Watch nearby. All it’s really doing is replacing a PIN entry on the phone with a previous PIN entry on the watch. And that can prove helpful. How helpful and — to the point — how much more convenient? It’s a better idea, but I’m not so sure it’s much more than a gimmick. Most iPhone users still have to enter their iPhone PIN many times a day. For most of us, it’s now muscle memory and barely takes a second. If it’s only saving a second or two of time, I’m not convinced it’s worth the effort. As noted above, the Apple Watch-iPhone authentication combo — which sort of plays off Unix’s trusted host concept, in that it’s saying, “If you’ve already authenticated yourself on the Watch, I’ll trust you” — doesn’t work with any sensitive third-party app that uses Apple’s facial recognition for authentication. We’re talking a one-trick pony here, something that can only open the iPhone and then only if it detects a mask. This might be more useful in the winter when wearing gloves and a ski-mask over a Covid mask, where finger access is a hassle. As for security, this convenience gambit is going to make life a lot easier for bad guys. Let’s say someone steals one of your employee’s phone and watch, perhaps when they fall asleep on the subway or train. Or perhaps simply during a mugging at knifepoint. Despite Apple’s ballyhooed security protections, it’s not that hard to get in. First, Apple made a good partial move by allowing and then encouraging longer PINs. The big risk with a PIN — beyond how guessable they are — is shoulder-surfing. The longer the PIN, the harder it is to shoulder-surf. But the watch has yet to move beyond a 4-digit PIN, which is easy to see from above the shoulder. That means that all of the Apple security can be wiped out with a 4-digit PIN. Not good. The thief merely needs to put on a mask (easy) and use the 4-digit PIN on the watch and they’re in. What they can get? Quite a bit: all email, all texts, anything in a notes app, all photographs, all voicemails, all recent incoming and outgoing call numbers, geolocation history, a list of all places driven to recently (and not so recently), etc. They may not be able to buy anything or transfer money, but for a corporate spy, this still represents a massive treasure trove of sensitive data. The reason the thief needs to steal both the phone and the watch is that Apple has put in place a small safeguard in case someone steals the phone and tries to open it when you are nearby, perhaps at a coffee shop (whenever people return to sitting in coffee shops). When the iPhone unlocks, the user is notified by a watch vibration that points out the phone has been unlocked. It then briefly offers the option to override the process and lock the mobile device. (This assumes that the user is able to instantly look at their phone and react.) Essentially, it means both smart devices have to be swiped. While that requires a level of subterfuge and stealth that won’t be easy to pull off — and do companies really want to take that chance? If your company is the target of a cyberthief or corporate spy, and the data they are pursuing is worth millions, this could be a relatively simple way to hurt your business. Side note: 9to5mac argues that Apple allows far more access when the Apple Watch is talking with a Mac, compared with the watch talking with an iPhone. “On the Mac, the Apple Watch can be used for a variety of different authentication tasks, including accessing controls in System Preferences, making Apple Pay purchases, and more,” the story said. For security sake, we can be glad Apple protects the iPhone better than the Mac. Still, it doesn’t go nearly far enough. Related content opinion A phish by any other name should still not be clicked By Evan Schuman Apr 05, 2024 6 mins Technology Industry Communications Security Industry opinion McDonald's serves up a master class in how not to explain a system outage When McDonald's in March suffered a global outage preventing it from accepting payments, it issued a lengthy statement about the incident that was vague, misleading and yet still allowed many of the technical details to be figured out. By Evan Schuman Apr 01, 2024 7 mins Mobile Payment Data Center Industry opinion Why are CIOs who anticipate the future rarely allowed to do anything about it? Wall Street’s obsession with quarterly earnings has made it extraordinarily difficult for most enterprises to spend on long-term investments, or even mid-term investments. By Evan Schuman Mar 08, 2024 5 mins IT Director IT Strategy IT Leadership opinion The food delivery driver identification dilemma Ever use one of those mobile food delivery apps — only to realize your delivery person isn't who you expected? There's a lesson here about identity, authentication, and what happens when the best laid tech plan meets human beings. By Evan Schuman Mar 01, 2024 6 mins Small and Medium Business Mobile Apps Mobile Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe