I tried living with just the Apple Watch instead of the Touch ID for a few months to see how reliable it was...
Sometimes it would take a few minutes in the morning before my Mac would even recognize 'hey, there's a watch' (typing in my full password was usually much quicker than waiting for the watch unlock).
Sometimes whatever notification happens that triggers the watch to vibrate and allow the double-squeeze-to-accept action would just... not.
Other times the above notification would pop up about 8-15 seconds after the prompt on the screen.
It was inconsistent enough I got _really_ good at typing my password, since it was normally quicker than waiting on the Apple Watch.
Contrast that with the Touch ID, that's always ready to go.
You can use apple watch for password managers and all macos passwords prompts. Does require an apple silicon mac iirc.
The main downside is it doesn't always recognize and it takes a few seconds to trigger. I'd love a separate touch id. But absent that the watch is quite useful.
there's a PAM that you can install that lets you use your Watch for superuser actions. i uninstalled it some years ago because it got kind-of old and Watch authentication is buggy anyway.
The Apple Watch knows that it's you, or at least somebody that knows your PIN.
It's tied to your iPhone and Apple account during initial setup.
Each time you put the Apple Watch on, you have to enter your PIN to unlock it. It can only perform automatic unlocking of your Mac and iPhone in this unlocked state.
The watch does automatic wrist detection and it will automatically RE-lock itself as soon as you take it off.
This is reasonably secure for most needs, though of course you can disable all of this automatic unlocking if you want more security. I forget if it's on by default or not. IIRC I had to enable it but I'm not too sure.
I'm not sure that "PIN + hardware dongle that requires continuous skin contact" is meaningfully less secure than a fingerprint sensor, but at least Apple puts you in the driver's seat to choose the level you're most comfortable with.
I've found the Bluetooth connectivity quite reliable. When it doesn't work, it's because the watch re-locked itself.
The watch needs to be unlocked either with a PIN code or can be set to unlock on close proximity to iPhone which unlocks via Face ID (or Touch ID, or a passcode). Once it is in an authenticated state it remains unlocked while it is attached to a wrist. I’m not totally clear how it detects when it separates from a wrist (probably a light sensor, heart rate sensor or some heuristic derived from the both - but it’s pretty instantaneous and reliable). “Privileged” actions like payments or escalation prompts still require a double click of the watch’s physical button to confirm, but in this authenticated state it is possible to use the watch to unlock Mac or iPhone based on proximity alone.
It has no concept of “who” you are, only that it got positively authenticated while on a wrist by proximity to your iPhone unlock or a manual correct PIN entry and hasn’t separated from that wrist since.
if i remember right, to activate the security (touch id like) feature you need the phone to be on your account. there are more restrictions than just pure activation.
