Apple’s WebKit team is proposing a change to the format of SMS one-time passcodes. The WebKit team’s hope is to make the two-factor authentication process more secure, and the proposal outlines two goals to help achieve that.
ZDNet details the proposal, which was shared by Apple engineers on GitHub this week. The first goal is to make it possible for SMS one-time passcodes to be associated with a URL. To do this, Apple engineers propose adding the login URL to the SMS itself.
Part two of the proposal centers on standardizing the format of two-factor authentication SMS passcodes. This would allow browsers and mobile applications to detect the one-time passcodes and recognize the domain. From there, the browser or app could “automatically extract the OTP code and complete the login operation without further user interaction.”
Thus far, both Google and Apple engineers have backed the proposal. Mozilla has not yet commented on the proposal.
Below is the format of SMS one-time passcodes that Apple’s WebKit engineers propose. The first line is meant for users to recognize where the message is coming from, while the second line is for the website or app to read and complete the verification:
747723 is your WEBSITE authentication code.
ZDNet has more explanation on how this could work, particularly in regards to preventing phishing attacks:
Apps and browsers will automatically extract the OTP code and complete the 2FA login operation. If there’s a mismatch and the auto-complete operation fails, human readers will be able to see the website’s actual URL, and compare it to the site they’re trying to login. If the two are not the same, then users will be alerted that they’re actually on a phishing site and abandon their login operation.
With iOS 12, Apple added a new security code auto-fill feature, which automatically reads SMS one-time passcodes and fills them in on the originating site. This new proposal takes things to the next level, with a particular focus on improving security and adding one more layer of protection for users against potential phishing attacks.
FTC: We use income earning auto affiliate links. More.