Apple ID 2FA on an iPhone XSource: iMore

What you need to know

  • Apple engineers have unveiled a proposal to standardize the format of two-factor authentication.
  • It has suggested the use of a new SMS format for one-time-passcode messages.
  • The new format would include the website the code is meant for, information that could be automatically extracted by a browser or app.

Apple WebKit engineers have unveiled a new proposal that could standardize the format of two-factor-authentication messages to improve security and prevent users from falling for phishing scams.

As reported by ZDNet, Apple engineers working on WebKit, a core component of Safari have come up with the idea, but Google's Chromium engineers are also on board. According to the report:

Apple engineers have put forward a proposal today to standardize the format of the SMS messages containing one-time passcodes (OTP) that users receive during the two-factor authentication (2FA) login process.

The proposal comes from Apple engineers working on WebKit, the core component of the Safari web browser.

The proposal has two goals. The first is to introduce a way that OTP SMS messages can be associated with a URL. This is done by adding the login URL inside the SMS itself.

The second goal is to standardize the format of 2FA/OTP SMS messages, so browsers and other mobile apps can easily detect the incoming SMS, recognize web domain inside the message, and then automatically extract the OTP code and complete the login operation without further user interaction.

As the report notes, by including the URL of the intended website within the SMS, it would mean websites and apps could automatically detect and read a 2FA SMS message, inputting the data. This would certainly be more convenient than remembering and then typing the keycode in. However, more importantly, by ensuring the code would only work with a specific, intended website, the plan could eliminate the risk of falling for a scam, whereby a user might unwittingly enter their 2FA code into a phishing site.

Cyber Monday may be over but these Cyber Week deals are still alive

The text format would look like this:

747723 is your WEBSITE authentication code. #747723

The first line is for human users, the second for apps and browsers. The browser/app would automatically detect and extract the code. If the URL in the browser/app doesn't match what's in the text, the operation will fail. Users would then be able to see that the website provided is not the same as the one they're trying to log into, potentially alerting them to a scam or an unsafe website.

The report notes, as mentioned, that Apple's WebKit developers (who came up with the idea) and Google's (Chromium) engineers are on board with the proposal. Mozilla Firefox has not given an official response yet. In terms of a rollout, the report notes:

Once browsers will ship components for reading SMS OTP codes in this new format, major providers of SMS OTP codes are expected to switch to using it. As of now, Twilio has already expressed interest in implementing the new format for its SMS OTP services.