Why does Apple Watch require user approval of a 2FA request?

As with the iPhone, when a 2FA request is sent to the Apple Watch, the user has to interact with the app and click “Approve Request.” But shouldn’t approval of 2FA notification be automatic as long as the Apple Watch is on your wrist and unlocked?

The watch being on your wrist and unlocked already confirms the second factor of authentication. It seems redundant to have to click “Approve Request” for 2FA on the Apple Watch. For example, when logging into a Macbook, if the user is wearing an Apple Watch, the password requirement is bypassed altogether - no extra steps are needed. The same should be the case for Duo 2FA requests - no extra steps.

This would be a great feature that would make logging in with Duo easier and would take advantage of the unique nature of the Apple Watch as opposed to just treating it like just a tiny iPhone.

Hi @howryan, welcome to the Duo Community, and thank you for asking this question here!

No, and the reason for this is to verify the push is legitimate and initiated by you. Let’s say your account credentials were compromised and a malicious actor tried to log in. The second factor of authentication (requiring push approval, in this case) would stop them from gaining access. If you were to auto-approve the push notification, however, that would not be the case, and they could gain access with just your username and password. This is known as push phishing. You can read more about it in the first half of this Duo blog post, or there is a great Cyberscoop article that explains push phishing in more detail as well. Hope that answers your question!

I shared your comment and question with the Duo Mobile team as well.

2 Likes

This is a terrible request, and is not at all like logging into a Macbook. The Macbook knows your watch is near-by and therefore believes that it is you who is logging in. Not the same situation at all with Duo MFA. As Amy points out, the system being logged is verifying that it is you who is logging in.

1 Like