What you need to know
- Apple engineers have unveiled a proposal to standardize the format of two-factor authentication.
- It has suggested the use of a new SMS format for one-time-passcode messages.
- The new format would include the website the code is meant for, information that could be automatically extracted by a browser or app.
Apple WebKit engineers have unveiled a new proposal that could standardize the format of two-factor-authentication messages to improve security and prevent users from falling for phishing scams.
As reported by ZDNet, Apple engineers working on WebKit, a core component of Safari have come up with the idea, but Google's Chromium engineers are also on board. According to the report:
Apple engineers have put forward a proposal today to standardize the format of the SMS messages containing one-time passcodes (OTP) that users receive during the two-factor authentication (2FA) login process.
The proposal comes from Apple engineers working on WebKit, the core component of the Safari web browser.
The proposal has two goals. The first is to introduce a way that OTP SMS messages can be associated with a URL. This is done by adding the login URL inside the SMS itself.
The second goal is to standardize the format of 2FA/OTP SMS messages, so browsers and other mobile apps can easily detect the incoming SMS, recognize web domain inside the message, and then automatically extract the OTP code and complete the login operation without further user interaction.
As the report notes, by including the URL of the intended website within the SMS, it would mean websites and apps could automatically detect and read a 2FA SMS message, inputting the data. This would certainly be more convenient than remembering and then typing the keycode in. However, more importantly, by ensuring the code would only work with a specific, intended website, the plan could eliminate the risk of falling for a scam, whereby a user might unwittingly enter their 2FA code into a phishing site.
The text format would look like this:
747723 is your WEBSITE authentication code. @website.com #747723
The first line is for human users, the second for apps and browsers. The browser/app would automatically detect and extract the code. If the URL in the browser/app doesn't match what's in the text, the operation will fail. Users would then be able to see that the website provided is not the same as the one they're trying to log into, potentially alerting them to a scam or an unsafe website.
The report notes, as mentioned, that Apple's WebKit developers (who came up with the idea) and Google's (Chromium) engineers are on board with the proposal. Mozilla Firefox has not given an official response yet. In terms of a rollout, the report notes:
Once browsers will ship components for reading SMS OTP codes in this new format, major providers of SMS OTP codes are expected to switch to using it. As of now, Twilio has already expressed interest in implementing the new format for its SMS OTP services.
We may earn a commission for purchases using our links. Learn more.
Apple's 'High Desert' will star Patricia Arquette, directed by Ben Stiller
The new comedy series follows the story of Peggy, a former addict who decides to become a private investigator after her mother dies.
CEO of UK smartphone carrier EE tells employees a 5G iPhone is 'days away'
Marc Allera, CEO of EE, says that a 5G iPhone is "just days away" in a new video shared with the carrier's employees.
Czech girl tips off authorities to malicious apps on iOS and Android
Malicious apps on both iOS and Android reportedly clocked 2.4 million downloads and over $500,000 in revenue. The apps bombarded users with intrusive ads and even hid their icons to prevent users from uninstalling them.
Your iPhone 11 Pro will love these screen protectors!
The screen on your new iPhone is very expensive to replace. Because of this, you may want to consider buying an inexpensive screen protector