How unlocking via Watch uses the laptop password?

During watch mac unlocking setup, iPhone prompts for laptop user password, but iOS security guide (last updated at May 2016) does not describes, how that password will be used.

  • Does iPhone needs it only for initial iPhone-Mac-Watch tethering, or maybe it saves password and uses it for every unlock?
  • Does it send password (encrypted or not) to iCloud services?
  • Do I have to provide new password to iPhone and Watch after I'll change it on Mac?

Apple has now transitioned much of the “enter your iCloud password” to be “enter the password for device X” for unlocking the keys in the keychain.


The rest of this answer is likely out of date, but was the best I knew in 2016.

I've tested most of your scenarios and don't believe the password ever leaves the Mac. Instead, Apple builds up a cryptographic key pair to sign packet exchange between the watch and the computer with anti-replay aspects and time of flight calculations to ensure the watch is really sending the packets now in real time before the unlock happens.

The anti-replay means that you can't record those packets and then play them later to unlock the Mac. Basically Apple leverages the iCloud security that is set up for two-factor authentication and keychain syncing to exchange the cryptographic keys needed to sign the data to establish a verified signal and prevent hacking into your Mac with a synthetic or bogus signal.

  • https://support.apple.com/en-us/HT206995

The iOS 10 security guide is not out yet nor is the watchOS 3 guide. I'll update this post if I can find more technical details going forward.