By Glenn Fleishman
June 30, 2025 8:30 AM PT
Unlocking your Mac with an Apple Watch, like clockwork
Apple has intended the Apple Watch to be a nifty complement to your iPhone from its release; interaction with the Mac came later. (With an iPad? Well, it’s not entirely neglected.)
One of the key ways you can use your Apple Watch with a Mac is to unlock it. Two different readers have expressed frustration with how that’s working.
Six Colors subscriber HiddenJester notes:
It’s always had some limitations, where sometimes the screen says the wireless signal is too weak or it occasionally demands a password, but it generally works pretty well. Except … it quit working for me last week, and no amount of toggling the switch off and back on again works.
I noticed this morning while I was looking at the password prompt that it occasionally flashed “Unlocking with Apple Watch …” underneath the password field, but it immediately goes away.
They have tried rebooting their Apple Watch and Mac and are still locked out.
A similar report came in from Six Colors reader Coach Mike via Mastodon:
Any thoughts/ideas on how to fix an Apple Watch that suddenly stops unlocking a Mac?
Rebooted Mac couple of days ago; rebooted Watch this morning. (And yes, Watch is “unlocked, on my wrist and powered on”.)
Why would a convenient feature stall out? My suspicion is that has to do with how Apple manages to bypass using macOS account passwords (or encrypted versions of them) while also ensuring that your Apple Watch remains under your control.
Watch it unlock your Mac
To enable this feature, called Auto Unlock in Apple’s documentation, you first need to meet these requirements:
- The Mac must be a model released from mid-2013 or later and have macOS 10.12 Sierra or later installed.
- All Apple Watch models offer this feature, but must be running at least watchOS 3 or later.
- Your Apple Account has to be set up with two-factor authentication and you’re using the same Apple Account on both devices.
- You must have set a passcode for your Apple Watch.1
- Both your Mac and Apple Watch must have Bluetooth and Wi-Fi enabled.
(Update: Continuity features like Auto Unlock sometimes require devices are on the same Wi-Fi network; Auto Unlock doesn’t explicitly list this as a requirement. However, Coach Mike discovered after this article first appeared that his watch had shifted to the Guest network at his house. He used Settings on the Apple Watch to change back to his primary network, at which point Auto Unlock worked again!)
With all of that in place, you go to System Settings > Touch ID & Password on a Mac with an integrated Touch ID sensor or with a Magic Keyboard with Touch ID2, or System Settings > Login Password if there’s no Touch ID sensor attached. You can then enable the switch under the Apple Watch label at the bottom to let your wearable unlock your Mac, as well as unlock applications like Password or allow autofilling passwords and verification codes. (The full text reads “Use Apple Watch to unlock your applications and your Mac.”) If you have more than one Apple Watch, such as a day and night watch, you can enable them separately.
As with general Mac password security, every time you restart your Mac, shut down and power it back up, or log out of an account and back in, you must re-enter the account’s password—you cannot use Auto Unlock until after that point.
Now, you just tap a key on the keyboard, move a mouse, or tap a trackpad, and your Mac automatically unlocks.3 This won’t work if a remote device is controlling your Mac’s screen or, peculiarly, if you are using Internet sharing, where you use your Mac to pass an Internet connection or one or more Mac hard-wired interfaces or via Wi-Fi.
When you’re in a regular Mac session and Touch ID or an administrator password is requested, you also receive a notification on your Apple Watch and can double-press the side button to approve it.4
That should be the beginning and end of it. However, as our two readers note and I have seen myself, sometimes it just breaks.
This may be due to the layered security that enables this to happen at all.
A fragile tunnel?
Auto Unlock isn’t just about letting your Apple Watch unlock your Mac. The same technology allows your iPhone to unlock your Apple Watch after it restarts or starts up, or when it loses a connection with your body, such as after you’ve charged it and put it back on your wrist. (Go to the iPhone Watch app > Passcode > Unlock with iPhone.) It’s also used in some cases when you’re wearing a mask to let you unlock your iPhone with your Apple Watch.
Auto Unlock doesn’t involve storing or revealing passwords. Instead, setting up a connection between your devices allows them to pass secrets that prove their identity to each other coupled with proximity detection to ensure your devices are near one another. When this system fails, intentionally or not, it provides unuseful feedback—or none at all.
When you turn on Auto Unlock features, Apple creates an end-to-end encrypted tunnel using what it calls a Station-to-Station (STS) protocol. One set of long-lasting keys gets created when the feature is turned on to allow STS to work over time. However, the protocol doesn’t simply rely on that. Instead, it generates a unique session key to use whenever Auto Unlock is invoked. Because this feature works with Macs without the Secure Enclave5, the end-to-end tunnel uses Secure Enclave at both ends when available, but can also terminate on earlier Macs at the Mac’s kernel (its core operating system component).
This operation relies on Bluetooth—in particular, Bluetooth Low Energy (BLE). It also relies on peer-to-peer Wi-Fi, which is used to let two devices roughly calculate the distance between them, helping deter longer-range cracking attempts. Those attempts are themselves highly unlikely to succeed due to the layered encryption employed: all transactions over both networking types are separately encrypted.
The initial secret is sent by a “target”: the device that will allow itself to be automatically unlocked, such as a Mac to an Apple Watch. This secret passes over the STS tunnel using a BLE connection. When an unlock request is triggered, a new peer-to-peer Wi-Fi connection is established, and the distance is calculated. If the two devices are close enough to each other—seemingly a few feet, but it’s not documented. (Apple describes this as your Apple Watch being “very close to your Mac.”)
If the conditions are met, the unlocking device sends the target back the unlock secret it previously received. The target sends a new challenge that the unlocked device solves. Voila! The target unlocks, and transmits a new secret for the next go-round.6
There could be a few things going wrong that result in a silent failure or a failure with the wrong error message:
- Despite being close enough, the two devices decide they are more than the requisite distance apart. This should result in a message stating that the Apple Watch connection is too weak. However, I’ve seen that error even when my wrist is inches from the Mac, so it must be displayed when it is provably false or instead of the correct error.
- A glitch causes the handshake to fail between the two devices. Instead of announcing it, perhaps Apple chooses to let the process break without a message to avoid providing feedback that attackers could use to hone an exploit.
- Gremlins?
There’s one way around it.
The time is out of joint
The key problem—pun definitely intended—is that enabling Auto Lock sets a trigger that’s later released. Disabling the Auto Lock feature deletes associated keys, including breaking the STS tunnel. The correct order of reset is:
- Disable System Settings > Touch ID & Password (or Login Password) > Apple Watch > your device.
- Restart your Mac and your Apple Watch.
- Log into your Mac and enter the passcode for your Apple Watch.
- Return to the Auto Unlock area and re-enable.
If you haven’t tried this sequence in precisely this order, now is the time to do so. If you have and it hasn’t worked, try it again. We all know that repeating the same actions with computers shouldn’t produce a different outcome. Yet, like rotating a USB Type-A plug three times to get it to fit, some parts of the technology world defy explanation.
[Got a question for the column? You can email glenn@sixcolors.com or use /glenn in our subscriber-only Discord community.]
- Apple doesn’t require a passcode to use an Apple Watch, but you miss out on many features and basic security protections without one. ↩
- Or with a deconstructed Magic Keyboard’s Touch ID sensor. ↩
- Sometimes, I can be sitting on our house’s main (and sole) floor above my day-lit basement office, and my Apple Watch says it’s mysteriously unlocked my computer. ↩
- Approving these logins requires a slightly later system version than for Auto Lock: macOS 10.15 Catalina or later and watchOS 6 or later. ↩
- Intel Macs received a full Secure Enclave via the T2 Security Chip, starting with models introduced in 2018. All Apple silicon Macs have a Secure Enclave subcomponent in their M-series chip. ↩
- For the full technical explanation, see Apple Platform Security’s “System security for watchOS” documentation under Auto Unlock and Apple Watch. ↩
[Glenn Fleishman is a printing and comics historian, Jeopardy champion, and serial Kickstarterer. His latest books are Six Centuries of Type & Printing (Aperiodical LLC) and How Comics Are Made (Andrews McMeel Publishing).]
If you appreciate articles like this one, support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories, and a special community.