Apple Engineers Propose Standardized Format for SMS One-Time Passcodes

[MacRumors]

Apple WebKit engineers have put forward a proposal to make one-time passcode SMS messages more secure by developing a standardized format for the two-step verification process, reports ZDNet.

Two-step verification logins require a user's password and another element that only the user would know - in this case, a one-time code sent via text message - to gain access to an online account.

As it stands, these SMS messages can arrive in a variety of formats, making it difficult or impossible for apps and websites to detect them and automatically extract their information.

Apple's proposal has two goals. The first is to introduce a way that one-time passcode SMS messages can be associated with the website, by adding the login URL inside the message itself.

The second goal is to standardize the format of the SMS messages, so that browsers and other apps can identify the incoming message, recognize the URL, and then extract the OTP code for automatic insertion into the appropriate login field on the website.

The idea behind automating OTP entry is that it eliminates the risk of users falling for a scam and entering an OTP code on a phishing site with a different URL.

Apple developers provided the following example of the new format SMS message for OTP codes:

747723 is your WEBSITE authentication code.
@website.com #747723

The first line is intended for the user, enabling them to determine the website that the SMS OTP code came from, while the second line is processed by browsers and apps so that they can automatically extract the OTP code and complete the 2FA login operation.

If auto-complete fails, users will be able to check the URL of the website that sent the text against the site they're trying to log in to.

According to the report, Google Chrome engineers are already on board with Apple's proposal, but Mozilla's Firefox team have yet to provide official feedback on the standard.

The new proposals would add another layer of security to Apple's existing security code autofill feature, introduced in iOS 12, that can detect one-time passcodes in Messages and display them conveniently above the user's keyboard.

Article Link: Apple Engineers Propose Standardized Format for SMS One-Time Passcodes

 

[fjfjfjfj]

The way iOS captures the text code and fills it automatically is so convenient. It’s one of those little features that just makes things a bit easier and I smile every time it does it.

 

[lobbyist]

It’s a very Apple like proposal - it just works.

The way iOS captures the text code and fills it automatically is so convenient. It’s one of those little features that just makes things a bit easier and I smile every time it does it.

 

[0924487]

Firefox and Mozilla is slow to adapt and make decisions because they are not a top-down commercial corporation. They are a team of open source ppl

 

[Daveoc64]

I think that some of the services I have used intentionally make the message long so that the code won't show up in the notification on most phones.

That way, the device has to be unlocked to read the code.

There is also often an element of warning people about scams.

I feel like Apple's proposal assumes that you want to use the code on the phone itself, and in my experience, that's rarely the case.

 

[elharo]

Way to solve the problems of 10 years ago. Apple used to be more forward looking than this.

In 2020 sites should be using and supporting TOTP codes like those provided by Authy or even better Yubikeys and the like. SMS two-factor is vulnerable to mobile provider compromise, and these attacks have occurred in the wild for high value targets like crypto wallets.

 

[TechRemarker]

Apple WebKit engineers have put forward a proposal to make one-time passcode SMS messages more secure by developing a standardized format for the two-step verification process, reports ZDNet.

Two-step verification logins require a user's password and another element that only the user would know - in this case, a one-time code sent via text message - to gain access to an online account.

As it stands, these SMS messages can arrive in a variety of formats, making it difficult or impossible for apps and websites to detect them and automatically extract their information. They can also

Apple's proposal has two goals. The first is to introduce a way that one-time passcode SMS messages can be associated with the website, by adding the login URL inside the message itself.

The second goal is to standardize the format of the SMS messages, so that browsers and other apps can identify the incoming message, recognize the URL, and then extract the OTP code for automatic insertion into the appropriate login field on the website.

The idea behind automating OTP entry is that it eliminates the risk of users falling for a scam and entering an OTP code on a phishing site with a different URL.

Apple developers provided the following example of the new format SMS message for OTP codes:
The first line is intended for the user, enabling them to determine the website that the SMS OTP code came from, while the second line is processed by browsers and apps so that they can automatically extract the OTP code and complete the 2FA login operation.

If auto-complete fails, users will be able to check the URL of the website that sent the text against the site they're trying to log in to.

According to the report, Google Chrome engineers are already on board with Apple's proposal, but Mozilla's Firefox team have yet to provide official feedback on the standard.

The new proposals would add another layer of security to Apple's existing security code autofill feature, introduced in iOS 12, that can detect one-time passcodes in Messages and display them conveniently above the user's keyboard.

Article Link: Apple Engineers Propose Standardized Format for SMS One-Time Passcodes

Love that feature and always miss it in chrome so was surprised this didn’t happen sooner. That being said, I rarely get to use the feature anymore since sms is so insecure which this proposal doesn’t help with and may see people switching from more secure options to sms for this concenvience.

I hate apples one where it pops a window with a code that can’t be copied on the Mac to the place you are entering it on the Mac. I assume it’s more secure but with 1Password you can use non sms one time passwords that getput into your clipboard when the website prompts it and clears it right after.But Apple doesn’t support using its version through google authenticator type methods.

 

[araadt]

Way to solve the problems of 10 years ago. Apple used to be more forward looking than this.

If the problems of ten years ago aren’t solved yet that makes them the problems of today.

I could likely get my mother to use 2FA by sms but I’d never be able to convince her of carrying around an Authenticator device or using a keygen app. If we have the opportunity, shouldn’t we refine all options?

 

[adammusic]

now work on auto deleting those messages after 10 minutes.
They pile up.

 

[FaustsHausUK]

This feature is one of a stack of reasons why I prefer Safari over other browsers - I haven’t had an issue with iOS or macOS detecting the code and offering to insert it without me leaving the browser. It’s seamless and feels magical.

 

[Infinite Vortex]

I still raise an eyebrow with those that send out these 1 time codes, this goes for both to iOS and Android, in that the message component of it before the code is way too short.

There are a significant number of people who show message previews, something which is on by default, and as such you don't have to unlock the phone to see the code. Exactly how is this a security measure given most people get security breached by someone they know. It is these people who are significantly more likely to be in the physical vicinity of the receiving device that we need defending against as opposed some arbitrary turd on the other side of the planet.

All they need to do is lengthen what they're sending a bit so that the actual code does not appear in a message preview.

 

[TrenttonY]

How about iOS auto detects that if it's an Authentication SMS, it shows it as a Notifcation Alert instead?
This prevents them stacking up in your recent messages and is a overall cleaner look.

 

[TechRemarker]

I think that some of the services I have used intentionally make the message long so that the code won't show up in the notification on most phones.

That way, the device has to be unlocked to read the code.

There is also often an element of warning people about scams.

I feel like Apple's proposal assumes that you want to use the code on the phone itself, and in my experience, that's rarely the case.

the proposal is for sms so it has to obviously go wherever you have sms which of course in general means your phone but if you have your computer setup to get your sms too then it will work there as well. Though for Mac users that already possible with iMessage sothis change will be more meant for non Apple users.

 

[TriBruin]

If the problems of ten years ago aren’t solved yet that makes them the problems of today.

I could likely get my mother to use 2FA by sms but I’d never be able to convince her of carrying around an Authenticator device or using a keygen app. If we have the opportunity, shouldn’t we refine all options?

But, if we are pushing people to unsafe options, then we are doing them a disservice. The fact that this still uses SMS as a delivery mechanism makes it less safe than other methods.

To me, I always want to use the safest option. In order:

1) Hardware Key (which is rare)
2) Soft/Hardware Key - Approval requests are sent to an app on my phone and I have to approve them there. (Best apps are ones that allow approval directly from the notification after I authenticate.)
3) TOTP - 1 Password makes using TOTP so much easier.
4) SMS - Better than nothing, but becoming less safe these days.
5) Nothing.

 

[Puppuccino]

I’d rather it wasn’t sent as an SMS message at all. I’d prefer some kind of standard where it wasn’t sent over SMS at all and so it doesn’t clog up your texts and is more secure.

 

[JosephAW]

Also needs a time stamp and some type of two key verification. Would be better as a qr code with image recognition.

 

[itsmilo]

The way iOS captures the text code and fills it automatically is so convenient. It’s one of those little features that just makes things a bit easier and I smile every time it does it.

Not to be that person but that existed way before iOS implemented it on Android. I had it on my work phone and was wishing for Apple to implement it for the longest time until they finally did

 

[mazz0]

I’d rather it wasn’t sent as an SMS message at all. I’d prefer some kind of standard where it wasn’t sent over SMS at all and so it doesn’t clog up your texts and is more secure.

Hmm, but what? As you say it should be a standard, nothing proprietary, and would need to go to a unique target like SMS does. Maybe a new feature in the mobile phone networks?

 

[oxfordrunner]

I really wish Banks, among others, would let me actually disable SMS 2FA since, as others have noted above, is a false sense of security. Plenty of other options for 2FA like Authy, Google Authenticator, or Yubikey (especially now that it plugs into your phone).

 

[Puppuccino]

Hmm, but what? As you say it should be a standard, nothing proprietary, and would need to go to a unique target like SMS does. Maybe a new feature in the mobile phone networks?

I don’t know, I’m not that technical in this front, but something that isn’t sent over SMS as there’s loads of stories out there of mobile networks swapping sims with hackers so they intercept codes.

Perhaps USB keys could work somehow? If there was a way for for the key to communicate through to the browser with a code or confirmation to allow access.

 

[baryon]

Yes please! I hate it when making a payment, your bank sends the text but you can only copy the entire message as a whole so you have to remember it. And the code expires after a few seconds.

Actually, not being able to select and copy text from messages is extremely annoying, like when someone sends you someones phone number or email address but doesn't leave a space before and after it... The bane of my existence.

 

[Xirian]

I don’t know, I’m not that technical in this front, but something that isn’t sent over SMS as there’s loads of stories out there of mobile networks swapping sims with hackers so they intercept codes.

Perhaps USB keys could work somehow? If there was a way for for the key to communicate through to the browser with a code or confirmation to allow access.

My credit union’s suggestion to me was to set my 2 factor to email only then protect my email with an authenticator app and a yubikey as a backup. Unfortunately for my capital one account the app only seems to support sms.

 

[TechieGeek]

If the problems of ten years ago aren’t solved yet that makes them the problems of today.

I could likely get my mother to use 2FA by sms but I’d never be able to convince her of carrying around an Authenticator device or using a keygen app. If we have the opportunity, shouldn’t we refine all options?

Way to omit a key part of the quote you’re replying to, good job putting up a straw man argument to argue against. 👏

The original poster was saying we shouldn’t be using SMS for this, not pushing users to use SMS, because it’s absolutely not safe.

 

[cmaier]

I think that some of the services I have used intentionally make the message long so that the code won't show up in the notification on most phones.

That way, the device has to be unlocked to read the code.

There is also often an element of warning people about scams.

I feel like Apple's proposal assumes that you want to use the code on the phone itself, and in my experience, that's rarely the case.

No, APple’s proposal assumes you are using apple’s ecosystem, in which case the code sent to your phone is also sent to your Mac.

 

[Wide opeN]

This is indeed a very handy feature.