Why is Apple Watch authentication restricted to Secure Enclave Macs?

lilyballlilyball Junior Member

All Macs can use LocalAuthentication to authenticate with an Apple Watch regardless of whether they have a secure enclave, and keychain items can be created with a SecAccessControl that requires the watch. So why does 1Password require the secure enclave?

1Password Version: 7.7.BETA-1 (70700001)
Extension Version: Not Provided
OS Version: macOS 10.15.5 (19F101)
Sync Type: Not Provided


  • rudyrudy

    Team Member


    Yup, that's correct that LocalAuthentication is possible with Apple Watch on most 2013 or newer Macs. Unfortunately, SecAccessControl doesn't meet our security requirements for externally stored unlock secrets. If the keychain item is protected with SecAccessControl then you can still access that item with your Mac's login password.

  • lilyballlilyball Junior Member

    You can? Argh, then what's the point of kSecAccessControlDevicePasscode >_<

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file