Skip to main content

Apple changed how two-factor authentication SMS codes look for better security

Iphone 12 Pro Max Blue Hero
Iphone 12 Pro Max Blue Hero (Image credit: Bryan M. Wolfe / iMore)

What you need to know

  • Apple has changed the way two-factor authentication SMS messages look.
  • Now, Apple's messages will only have iOS, iPadOS, and macOS autofill on authentic websites.

Apple has made a change to the way two-factor authentication SMS messages look in an attempt to help boost security.

Apple's change essentially means that any time it sends you a new SMS as a form of two-factor authentication the message will only be provided for autofill on Apple services and websites thanks to the addition of a new piece of text. As reported by Macworld, the move was first proposed more than a year ago — in August 2020, to be exact.

The new messages will include more text than usual — and have already been rolling out for the last few weeks, too.

  • A standard human-readable message, including the code, followed by a new line.
  • The scoped domain as @domain.tld.
  • The code repeated again as #123456.
  • If the site uses an embedded HTML element, called an iframe, the source of the iframe is listed after %, such as %ecommerce.example. (The original spec specifies @; Apple appears to be using % for its texts.)

This whole system works in a similar way to how password managers and iCloud Keychain will only present a password on a specified website or in an associated app. This means that fake websites can't use autofill to accept a two-factor authentication code because iOS, iPadOS, and macOS will spot that the domains don't match.

iOS, iPadOS, and macOS offer to fill in the code most recently arrived via SMS to the Messages app in any properly formatted field—including a phishing site's verification-code field. That makes it too easy on the scammers.However, if the text message is scoped as Apple suggested, operating systems starting with iOS 15, iPadOS 15, and macOS 11 Big Sur will only offer to autofill on sites that match the domain name. The security isn't perfect, but it's a simple update to beef up defensive actions.

You still need to keep an eye on where you are clicking and what passwords you are entering, but this SMS change should at least help matters.

You can read more about how this all works in the original Macworld article, too.

Oliver Haslam
Oliver Haslam

Oliver Haslam has written about Apple and the wider technology business for more than a decade with bylines on How-To Geek, PC Mag, iDownloadBlog, and many more. He has also been published in print for Macworld, including cover stories. At iMore, Oliver is involved in daily news coverage and, not being short of opinions, has been known to 'explain' those thoughts in more detail, too.

Having grown up using PCs and spending far too much money on graphics card and flashy RAM, Oliver switched to the Mac with a G5 iMac and hasn't looked back. Since then he's seen the growth of the smartphone world, backed by iPhone, and new product categories come and go. Current expertise includes iOS, macOS, streaming services, and pretty much anything that has a battery or plugs into a wall. Oliver also covers mobile gaming for iMore, with Apple Arcade a particular focus. He's been gaming since the Atari 2600 days and still struggles to comprehend the fact he can play console quality titles on his pocket computer.