Skip to main content

iOS 14 adds domain-bound codes to make SMS one-time passcodes more secure

Earlier this year, Apple’s WebKit team proposed a change to the format of SMS one-time passcodes to make two-factor authentication more secure. Apple confirmed today that developers can already implement these changes with iOS 14 and macOS Big Sur.

With iOS 12, Apple has allowed websites and apps that require two-factor authentication to auto-fill codes sent via SMS. And now, the company is making this process even easier and secure by implementing something they call “domain-bound code.”

Additionally, starting with iOS 14 and macOS Big Sur, we’re adding an extra layer of security to SMS-delivered codes by allowing you to associate codes with a specific web domain.

Apple explains that domain-bound code allows iOS and macOS to suggest auto-filling the two-step authentication code only if the domain is a match for the website or one of your app’s associated domains.

Let’s say you get a code associated with the “twitter.com” domain. With iOS 14 and macOS Big Sur, this code can only be accessed by the official Twitter app or website. According to Apple, this change makes it harder for hackers to trick users with malicious websites asking for two-factor authentication codes.

For example, if you receive an SMS message that ends with @example.com #123456, AutoFill will offer to fill that code when they interact with example.com, any of its subdomains, or an app associated with example.com. If instead you receive an SMS message that ends with @example.net #123456, AutoFill will not offer the code on example.com or in example.com’s associated app.

Apple has shared an article with the documentation developers need to implement SMS domain-bound codes in apps and websites. While regular two-factor authentication codes will continue to work, the company recommends that developers update the codes to the new standard.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Filipe Espósito Filipe Espósito

Filipe Espósito is a Brazilian tech Journalist who started covering Apple news on iHelp BR with some exclusive scoops — including the reveal of the new Apple Watch Series 5 models in titanium and ceramic. He joined 9to5Mac to share even more tech news around the world.

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications