What you need to know
- Apple engineers have unveiled a proposal to standardize the format of two-factor authentication.
- It has suggested the use of a new SMS format for one-time-passcode messages.
- The new format would include the website the code is meant for, information that could be automatically extracted by a browser or app.
Apple WebKit engineers have unveiled a new proposal that could standardize the format of two-factor-authentication messages to improve security and prevent users from falling for phishing scams.
As reported by ZDNet, Apple engineers working on WebKit, a core component of Safari have come up with the idea, but Google's Chromium engineers are also on board. According to the report:
As the report notes, by including the URL of the intended website within the SMS, it would mean websites and apps could automatically detect and read a 2FA SMS message, inputting the data. This would certainly be more convenient than remembering and then typing the keycode in. However, more importantly, by ensuring the code would only work with a specific, intended website, the plan could eliminate the risk of falling for a scam, whereby a user might unwittingly enter their 2FA code into a phishing site.
The text format would look like this:
The first line is for human users, the second for apps and browsers. The browser/app would automatically detect and extract the code. If the URL in the browser/app doesn't match what's in the text, the operation will fail. Users would then be able to see that the website provided is not the same as the one they're trying to log into, potentially alerting them to a scam or an unsafe website.
The report notes, as mentioned, that Apple's WebKit developers (who came up with the idea) and Google's (Chromium) engineers are on board with the proposal. Mozilla Firefox has not given an official response yet. In terms of a rollout, the report notes:
Stephen Warwick has written about Apple for five years at iMore and previously elsewhere. He covers all of iMore's latest breaking news regarding all of Apple's products and services, both hardware and software. Stephen has interviewed industry experts in a range of fields including finance, litigation, security, and more. He also specializes in curating and reviewing audio hardware and has experience beyond journalism in sound engineering, production, and design.
Before becoming a writer Stephen studied Ancient History at University and also worked at Apple for more than two years. Stephen is also a host on the iMore show, a weekly podcast recorded live that discusses the latest in breaking Apple news, as well as featuring fun trivia about all things Apple.
This still doesn't solve the SIM Swapping problem. If a hacker ports your number the code will still work fine for them. We should be replacing SMS 2FA with something else. Instead of it be based on your phone number it should be based on device. Apple and Google should have push 2FA as an option for websites. Instead of texting you a code they send it to your Apple or Google Account and you press yes or no button. To set it up you could use your phone number and your phone sees this unique ID and text or emails back your unique account ID so the service has it on file for future 2FA. Your phone number is only used for setup.
There is probably more left out of this. The way this can work can actually prevent SIM swapping by also using the local authentication of your phone. Additionally, geolocation could be added.
Get the best of iMore in in your inbox, every day!
Thank you for signing up to iMore. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.