Your watch really shouldn’t be able to do that. The pairing uses p2p latency as a way to determine if you are actually close enough to your Mac to want to unlock it.

I’ve used it for years now with a variety of watches and Macs and I’ve always had to be right next to the computer with a fairly clear line of sight between them. Even putting my watch on the other side of my body is normally enough to make it tell me that the WiFi signal isn’t strong enough to unlock it.

To play devil's advocate, it would very easy to create custom rooms in which a detainee is held in a room against a paper wall (with their locked device on the other side of the paper wall). The orientation of their seating arrangement could be such that it always places the detainees watch closest to the device.

I wonder if the algorithms are tuned for different cultures' wall materials

I have, like GP, been able to unlock a computer downstairs when I'm directly above it. So N=2.

To me, that's just a failure on Bluetooth spec part, period. All reasonable bluetooth devices should come with a selector which allows you to choose which device to connect to [1]. Instead, there's this crapshoot, where, if there are multiple bluetooth devices near you, you'll get paired with a random one, and will have to disable bluetooth on it to roll the dice again.

[1] For cheapest devices, a physical button that goes to the next available device would still make a world of difference.

Definitely should be an os-level feature to disable all that, similar to using panic mode on ios to disable biometrics.

I personally boot my laptops to the filevault screen and no further when going through the security checkpoints. Keeps the disk encrypted and requires my password to continue.

“Would you like to enter the password before or after I check in the back to see if we have any latex gloves left, sir?”

Doesn't look like Filevault has a duress option— otherwise it'd be pretty nice to have a separate password that boots you to a dummy partition showing a fresh desktop install with apparently nothing on it. For bonus points, you could have the dummy OS kernel-patched so that it doesn't even show the other partitions as existing, and just pretends it's occupying the whole disk with mostly empty space.

"That computer? Oh yeah, I just picked it up, officer; was going to start configuring it when when I arrive at my destination."

Rookie mistake. It should have a shitload of random stuff on it, recently updated, including something mildly embarrasing¹ on it.

1: it depends on the person what that is, but it should be believable, "in character" so to speak.

When both FileVault and Guest account is enabled, logging into the guest account boots you you into a basically Safari-only sandbox.

https://support.apple.com/guide/mac-help/change-guest-user-s...

> "That computer? Oh yeah, I just picked it up, officer; was going to start configuring it when when I arrive at my destination."

That can get you into trouble with customs when the device looks new.

You should spend a few minutes in setting. Continuity allows a mouse and keyboard to run multiple macs and iPads. You move the cursor all the way over to the end of the screen. It stops but if you push more it will switch to the neighboring Mac. Easy to disable in settings. You can unlock your other Mac this way (I think), and Apple Watch will unlock if you are close by. All changeable in settings.

Problem is I like Apple Watch unlocking. But not randomly when I’m downstairs cooking dinner!

I don’t really trust it. The sports bands (which I find most comfortable) are especially vulnerable to being “scooped” off the wrist with two fingers in a single motion without interrupting the presence detection.

Somehow I doubt this is true.

My Apple Watch 7 regularily "forgets" that I am still wearing it. I have to enter my code roughly 2 times a day.

So to me, it feels like presence detection actually fires way to often in situations where the watch is still on the wrist.

Do you have any more info on that? I've been able to find videos of people taking the sports band off, but it didn't look like any of the techniques were attempting to avoid interrupting the wrist presence detection

You can try this on yourself pretty easily.

Two fingers under the watch (far enough to cover the heartbeat sensor) and a swift upwards yank will pop the strap underneath and it’ll lift right off.

The thing is, if someone has your unlocked watch, what can they really do? This is a question I’ve never really known the answer to and doubt you ever would know clearly.

Certainly banking apps don’t seem to have a lot of functionality on watchOS, but I’m unsure to what extent being signed in on an unlocked watch is the same as being signed in on an unlocked phone. Can i authorise a new phone just from the watch? I can certainly get 2FA codes to the watch, so the answer I guess is maybe.

Well I'll be damned, so you can. With a watch alone they'd have limited access, but if you steal somebody's watch without the watch realising it's been removed & also steal their phone you can almost certainly unlock the phone with the watch (my partner + I use that all the time when driving... they pick up my phone, show it only their eyes, and the phone assumes it must be me wearing a mask and so it uses my unlocked watch on my wrist to unlock the phone).

The good news, however, is that you don't appear to be able to use the Apple Watch mask unlock feature to pass further Face ID checks deeper in the system once unlocked, so your banking apps & password manager is safe... but your messages & e-mails are not...

Wow this is wild, didn’t even consider this scenario and my band easily fits 2 fingers underneath to pop off the watch!

It won’t unlock the MacBook if the watch is taken off your wrist though, the watch will lock.

They said without triggering the presence detection, so presumably the watch would not lock in that case.

For sure!

Now that I have an apple silicon Mac and a keyboard with touch id, I turned that feature off.

I've disabled unlock with Apple Watch and bought a touch ID magic keyboard. This is a far better solution!

It was neat for a couple of days until I was walking out of the room and my mac unlocked itself.

FYI the feds can legally compel you to use biometric scanning to open your device, but cannot compel you to give up passcodes.

Last I heard

Feds is not an attack vector that concerns me. My coworkers or kids changing my wallpaper or getting access to my kit is.

I guess you don't travel alot...

If you're traveling a lot and not using a burner laptop, well...

I do. Only for leisure. And I take a Pixel 6A running LineageOS when I do which has nothing sensitive on it.

That's really mostly so that I don't lose my iPhone which I actually care about.

OK, but most people don't use burner laptops /phones and are often subjected to unreasonable searches at the border by federal agents during entry at international airports, etc.

Can’t they just touch the sensor like 3 times and then make you tell the password?

I think you got this backwards. The 5th amendment means that the state can not force you to share information you have in your head, e.g. you can not be forced to give a password. But the state can force you to give a physical key, harware token, or a biometric read.

Oh yeah, for some reason my brain reversed the logic, thanks! :D

Though certain EU courts can “make you give up” your password, as far as I know. Nonetheless, security is only good when it is used — widely-used biometrics with a potentially stronger password (due to not having to enter it all the times) is statistically safer for the population over everyone having “password1” as a secret. Especially with a good fallback like emergency mode on iphone/apple watch. Afterwards only the password can unlock the device, and it is a single long press of two hardware buttons.

They can’t …prove… you know a key to decrypt data, but in the UK you can be charged under the Regulation of Investigatory Powers Act.

“RIPA regulates the manner in which certain public bodies may conduct surveillance and access a person's electronic communications. The Act:

enables certain public bodies to demand that an ISP provide access to a customer's communications in secret;

enables mass surveillance of communications in transit;

enables certain public bodies to demand ISPs fit equipment to facilitate surveillance;

enables certain public bodies to demand that someone hand over keys to protected information;

allows certain public bodies to monitor people's Internet activities;

prevents the existence of interception warrants and any data collected with them from being revealed in court.”

https://en.m.wikipedia.org/wiki/Regulation_of_Investigatory_...

You are right about the EU. There are many free democracies that do not consider passwords to be protected under their "no self-incrimination" version of the US 5th amendment.

Can they force you to give up the post-it on which you wrote down your password? If yes, are there any real limits to how much pressure they can apply before they give up? If no, what's stopping them from giving you a pencil and a stack of post-its, and letting you know they'll keep applying pressure until you produce a post-it with the password on it, which they "know" you have "somewhere"?

Point being, I feel this is getting into xkcd://538 territory.

Depends. If you have the resources to hire a lawyer, then what you describe is governmental overreach borderline on torture that will lead to the government paying out to you when you sue them and plenty of government employees being reprimanded or fired. If you do not have these resources and end up before unscrupulous law enforcement, you might very well have your rights abused until a journalist or the ACLU or some other equivalent decides to fight for you.

Ya but you can take that one to court. Nothing to do about it if they just put your pinky on the pad

You don’t have to. You use the evidence gathered on the phone to find other evidence that is admissible.

But “going to court” rarely happens. 95% of cases are plea-bargained.

https://www.law.cornell.edu/wex/plea_bargain

Given overwhelmingly evidence and an overworked public defenders office, you’re not going to take a chance on going to court where you will probably lose.

> There really should be a "Travel Mode" for MacOS that disables features like these.

Sadly that is not the Apple way. We'll have to wait years for them to come up with a "solution" that doesn't involve a disable button. If they even decide to work on it.

Simply powering off the laptop already enables what the user is asking for. Apple has thought of this.

> There really should be a "Travel Mode" for MacOS that disables features like these.

Have you tried macOS Lockdown Mode?

macOS Lockdown Mode is not intended to be used by casual travelers to prevent unintended macOS unlocks.

Per Apple, “Lockdown Mode is an optional, extreme protection that's designed for the very few individuals who, because of who they are or what they do, might be personally targeted by some of the most sophisticated digital threats. Most people are never targeted by attacks of this nature.”

Good luck convincing the HN crowd that the FBI aren’t rubbing elbows with the MSS under everyone’s bed.

That seems a crazy way to keep mines mouse attached.

Disable Apple Watch unlock for other Mac devices, a 4 digit pin on your watch really lowers the bar for security.

Which is why you shouldn’t have a 4 digit PIN. By default Apple devices have wanted a 6 digit PIN for a while now. I have an 8 digit one on my watch, but use a passphrase on my iPhone.

Powering off the computer will do that. The passphrase is always required on cold boot.

Amusingly simple, practical solution. What's the wake time difference from power off vs sleep for a modern Mac Book? I don't have one. Oh, I suppose the power off time would be longer than simply shutting the lid, too.

Can you configure it to power off when the lid shuts?

How do you know it’s unlocked upstairs when you are downstairs?

The watch vibrates and makes a noise whenever it unlocks a device.

Thanks.