Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
978
Views
3
Helpful
2
Replies

Why does Apple Watch require user approval of a 2FA request?

howryan
Level 1
Level 1

‎08-09-2021 03:46 PM

As with the iPhone, when a 2FA request is sent to the Apple Watch, the user has to interact with the app and click “Approve Request.” But shouldn’t approval of 2FA notification be automatic as long as the Apple Watch is on your wrist and unlocked?

The watch being on your wrist and unlocked already confirms the second factor of authentication. It seems redundant to have to click “Approve Request” for 2FA on the Apple Watch. For example, when logging into a Macbook, if the user is wearing an Apple Watch, the password requirement is bypassed altogether - no extra steps are needed. The same should be the case for Duo 2FA requests - no extra steps.

This would be a great feature that would make logging in with Duo easier and would take advantage of the unique nature of the Apple Watch as opposed to just treating it like just a tiny iPhone.

Labels:
0 Helpful
2 Replies 2

Amy2
Level 5
Level 5

‎08-10-2021 11:49 AM

Hi @howryan, welcome to the Duo Community, and thank you for asking this question here!

No, and the reason for this is to verify the push is legitimate and initiated by you. Let’s say your account credentials were compromised and a malicious actor tried to log in. The second factor of authentication (requiring push approval, in this case) would stop them from gaining access. If you were to auto-approve the push notification, however, that would not be the case, and they could gain access with just your username and password. This is known as push phishing. You can read more about it in the first half of this Duo blog post, or there is a great Cyberscoop article that explains push phishing in more detail as well. Hope that answers your question!

I shared your comment and question with the Duo Mobile team as well.

Corbett Enders
Level 1
Level 1

‎08-17-2021 09:58 AM

This is a terrible request, and is not at all like logging into a Macbook. The Macbook knows your watch is near-by and therefore believes that it is you who is logging in. Not the same situation at all with Duo MFA. As Amy points out, the system being logged is verifying that it is you who is logging in.

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents