Skip to main content

Apple engineers have a proposal to standardize two-factor authentication messages, and Google is on board

Apple ID 2FA on an iPhone X
Apple ID 2FA on an iPhone X (Image credit: iMore)

What you need to know

  • Apple engineers have unveiled a proposal to standardize the format of two-factor authentication.
  • It has suggested the use of a new SMS format for one-time-passcode messages.
  • The new format would include the website the code is meant for, information that could be automatically extracted by a browser or app.

Apple WebKit engineers have unveiled a new proposal that could standardize the format of two-factor-authentication messages to improve security and prevent users from falling for phishing scams.

As reported by ZDNet, Apple engineers working on WebKit, a core component of Safari have come up with the idea, but Google's Chromium engineers are also on board. According to the report:

Apple engineers have put forward a proposal today to standardize the format of the SMS messages containing one-time passcodes (OTP) that users receive during the two-factor authentication (2FA) login process.The proposal comes from Apple engineers working on WebKit, the core component of the Safari web browser.The proposal has two goals. The first is to introduce a way that OTP SMS messages can be associated with a URL. This is done by adding the login URL inside the SMS itself.The second goal is to standardize the format of 2FA/OTP SMS messages, so browsers and other mobile apps can easily detect the incoming SMS, recognize web domain inside the message, and then automatically extract the OTP code and complete the login operation without further user interaction.

As the report notes, by including the URL of the intended website within the SMS, it would mean websites and apps could automatically detect and read a 2FA SMS message, inputting the data. This would certainly be more convenient than remembering and then typing the keycode in. However, more importantly, by ensuring the code would only work with a specific, intended website, the plan could eliminate the risk of falling for a scam, whereby a user might unwittingly enter their 2FA code into a phishing site.

The text format would look like this:

747723 is your WEBSITE authentication code. @website.com #747723

The first line is for human users, the second for apps and browsers. The browser/app would automatically detect and extract the code. If the URL in the browser/app doesn't match what's in the text, the operation will fail. Users would then be able to see that the website provided is not the same as the one they're trying to log into, potentially alerting them to a scam or an unsafe website.

The report notes, as mentioned, that Apple's WebKit developers (who came up with the idea) and Google's (Chromium) engineers are on board with the proposal. Mozilla Firefox has not given an official response yet. In terms of a rollout, the report notes:

Once browsers will ship components for reading SMS OTP codes in this new format, major providers of SMS OTP codes are expected to switch to using it. As of now, Twilio has already expressed interest in implementing the new format for its SMS OTP services.

Stephen Warwick
News Editor

Stephen Warwick has written about Apple for five years at iMore and previously elsewhere. He covers all of iMore's latest breaking news regarding all of Apple's products and services, both hardware and software. Stephen has interviewed industry experts in a range of fields including finance, litigation, security, and more. He also specializes in curating and reviewing audio hardware and has experience beyond journalism in sound engineering, production, and design.

Before becoming a writer Stephen studied Ancient History at University and also worked at Apple for more than two years. Stephen is also a host on the iMore show, a weekly podcast recorded live that discusses the latest in breaking Apple news, as well as featuring fun trivia about all things Apple.

2 Comments
  • This still doesn't solve the SIM Swapping problem. If a hacker ports your number the code will still work fine for them. We should be replacing SMS 2FA with something else. Instead of it be based on your phone number it should be based on device. Apple and Google should have push 2FA as an option for websites. Instead of texting you a code they send it to your Apple or Google Account and you press yes or no button. To set it up you could use your phone number and your phone sees this unique ID and text or emails back your unique account ID so the service has it on file for future 2FA. Your phone number is only used for setup.
  • There is probably more left out of this. The way this can work can actually prevent SIM swapping by also using the local authentication of your phone. Additionally, geolocation could be added.