Apple is making SMS-based one-time passcodes more secure by tying them to domains

By Oliver Haslam
published

Apple Domain Based multi-factor Codes
Apple Domain Based multi-factor Codes (Image credit: Apple)

What you need to know

  • Apple is making SMS-based one-time passwords more secure.
  • Those passwords can be tied to a particular domain.
  • That means Safari will check the codes came from a legit source.

Way back in January Apple's WebKit team suggested a new format for SMS one-time passcodes that would make them more secure. Now, Apple has announced that developers can already take advantage of the feature in a new post to its developer website.

According to the post, Apple will now allow developers to associate their one-time passcodes with a domain, allowing Safari on iPhone, iPad, and Mac to check the code is associated with the correct domain before offering to use AutoFill.

Apple calls this new feature "domain-bound codes" and it should prevent fake codes from being generated and then auto-filled by Safari.

When you use a domain-bound code, AutoFill will suggest the code if — and only if — the domain is a match for the website or one of your app's associated domains. For example, if you receive an SMS message that ends with @example.com #123456, AutoFill will offer to fill that code when they interact with example.com, any of its subdomains, or an app associated with example.com. If instead you receive an SMS message that ends with @example.net #123456, AutoFill will not offer the code on example.com or in example.com's associated app. This makes it harder for an attacker to trick someone into entering one-time codes into a phishing site.

Apple notes that this move doesn't mean standard codes will no longer be supported, however. They will be, but it does suggest that developers take advantage of the new domain-bound codes as well.

While iOS and macOS will also display regular SMS-delivered codes in addition to domain-bound codes, we encourage everyone employing this authentication method to adopt this standard to provide a more secure experience for people on your website or app. If a message contains no domain information, it will continue to be offered in all relevant fields through AutoFill.

All of this kicks in when iOS 14, iPadOS 14, and macOS 11 Big Sur arrive this fall.

Developers can learn more about implementing the new codes on Apple's developer portal.

Oliver Haslam
Oliver Haslam
Contributor

Oliver Haslam has written about Apple and the wider technology business for more than a decade with bylines on How-To Geek, PC Mag, iDownloadBlog, and many more. He has also been published in print for Macworld, including cover stories. At iMore, Oliver is involved in daily news coverage and, not being short of opinions, has been known to 'explain' those thoughts in more detail, too.

Having grown up using PCs and spending far too much money on graphics card and flashy RAM, Oliver switched to the Mac with a G5 iMac and hasn't looked back. Since then he's seen the growth of the smartphone world, backed by iPhone, and new product categories come and go. Current expertise includes iOS, macOS, streaming services, and pretty much anything that has a battery or plugs into a wall. Oliver also covers mobile gaming for iMore, with Apple Arcade a particular focus. He's been gaming since the Atari 2600 days and still struggles to comprehend the fact he can play console quality titles on his pocket computer.