Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Engineers Propose Standardized Format for SMS One-Time Passcodes
- Thread starter MacRumors
- Start date
- Sort by reaction score
2FA using SMS is better than nothing, but is not very secure because of how SMSs can be intercepted.
If Apple is pushing for standards, why not standardize a proper 2FA protocol (e.g., OATH) and require all smartphones to have a standard compatible authenticator app built-in?
Indeed, I bet Apple could do it by themselves if they just bundle a 2FA app into iOS using a common open protocol. It's hard to get users to downloading Authy or similar app, but if its built-in it will take off. Service providers will be incentivized to adopt that protocol so their 2FA can be native in iOS, and the Androids will copy Apple as they always do.
If Apple is pushing for standards, why not standardize a proper 2FA protocol (e.g., OATH) and require all smartphones to have a standard compatible authenticator app built-in?
Indeed, I bet Apple could do it by themselves if they just bundle a 2FA app into iOS using a common open protocol. It's hard to get users to downloading Authy or similar app, but if its built-in it will take off. Service providers will be incentivized to adopt that protocol so their 2FA can be native in iOS, and the Androids will copy Apple as they always do.
I could see them integrating it into Settings under Passwords & Accounts…along with saving your password for a given site you can scan a QR code and have iOS generate one-time codes that would be generated and suggested above the keyboard, without using SMS, any time a one-time code is requested on the domain(s) associated with that account. It’d be a nice setup, but they’d absolutely be sherlocking Authy, 1Password, et al. I suppose they could also open up an API for those apps to suggest one-time codes, but that’d be risky, I feel like.
I like this proposal because codes are usually when I’m on my phone. I use auth apps that allow for pop up approvals for desktop.That way I’m only clicking okay or not okay on my phone. No need to type **** in.
Agreed. It's also meant to work on MacOS (assuming one has text forwarding on) but it's never worked for me. I get the sms forwarded to my Mac, but Safari ignores it.
In 10-20 years SMS will be what FAX is now... Something that should have be retired 10 years ago.
2FA via SMS is already an outdated technology.
The whole approach of using a username+password is so 90's. What we need is a secure authentication device, such as a SmartCard with embedded PIN-Pad. Alternatively yubikeys which work similarily.
It's ridicolous that you can't use your bank card (which is a SmartCard) to log into your online banking...
2FA via SMS is already an outdated technology.
The whole approach of using a username+password is so 90's. What we need is a secure authentication device, such as a SmartCard with embedded PIN-Pad. Alternatively yubikeys which work similarily.
It's ridicolous that you can't use your bank card (which is a SmartCard) to log into your online banking...
*IF* an implementation of this encourages people to shift from a more secure to a less secure approach, then yes. You are correct. However, as others have noted this has the potential to shift people from the "Nothing" approach (your #5) to something far better. Sure, a Software Key is much better, but "grandma" won't use that. Make the minimum solution trivially easy and lots more websites/app might start using them.
How is this Apple's fault? Apple can't control what companies are doing with their security. All they can do is make it more convenient for users.
I agree. They could also use the secure enclave chips on their devices to hold the TOTP keys (similar to Yubikey Authenticator). Actually, Apple already has an offline TOTP generator in iOS and MacOS ("get verification code"), but it's only usable for iCloud logins at the moment ...
Apple 2FA must be done on approved devices only. That is great
but
Doing 2FA by sms can be “hack” with SIM Swapping, so I don’t think it is a secure way to do this.
but
Doing 2FA by sms can be “hack” with SIM Swapping, so I don’t think it is a secure way to do this.
More security is better than no security.
Do you lock your front door, even though it’s easily bypassed?
People arguing for more secure methods are missing the point.
Do you lock your front door, even though it’s easily bypassed?
People arguing for more secure methods are missing the point.
"The lock you have on your door isn't good enough!" vs. "Any lock is better than none."
The point of 2FA with SMS is that everyone has it, even if they have a flip phone. This means a financial institution, website, etc. can implement it for every user, raising the security bar for all. Methods that require an additional "object" (I'll include TOTP apps in that definition) are not as universally usable, which leaves a population of users who cannot use that authentication method, or would resist using it.
It's something like biometric ID methods. A key point of biometrics is to encourage users to implement a passcode by removing some of the friction that comes with it. Overall, higher security for far more users. For every person who uses passcode-only because biometrics is less secure, there may be thousands who would not have used a passcode at all without the availability of biometrics.
Every technology that has broad availability is "so ten years ago." It's the nature of technology - it can't be implemented across an entire population instantly. For example, for TOTP to become truly widespread, TOTP should be embedded in every mobile and desktop OS. Between older devices that won't get OS upgrades and users who do not upgrade... that's a large population segment that would be left out. Five years pass, older devices are replaced... "everyone" now has OS-embedded TOTP.
The use of TOTP and hardware keys has traditionally been limited to high-value assets - corporate and government systems where employee behavior can be enforced, and high-net-worth individuals. There's a high cost to disseminating and administering hardware keys, and a customer support cost to implementing software-based TOTP. While I expect more and more consumer institutions will implement TOTP as an "enhanced security option," it would be many years before the broad population is sufficiently equipped and educated to make it mandatory.
In the meantime, the current "standard" can be improved. Why scoff at those attempts?
The point of 2FA with SMS is that everyone has it, even if they have a flip phone. This means a financial institution, website, etc. can implement it for every user, raising the security bar for all. Methods that require an additional "object" (I'll include TOTP apps in that definition) are not as universally usable, which leaves a population of users who cannot use that authentication method, or would resist using it.
It's something like biometric ID methods. A key point of biometrics is to encourage users to implement a passcode by removing some of the friction that comes with it. Overall, higher security for far more users. For every person who uses passcode-only because biometrics is less secure, there may be thousands who would not have used a passcode at all without the availability of biometrics.
Every technology that has broad availability is "so ten years ago." It's the nature of technology - it can't be implemented across an entire population instantly. For example, for TOTP to become truly widespread, TOTP should be embedded in every mobile and desktop OS. Between older devices that won't get OS upgrades and users who do not upgrade... that's a large population segment that would be left out. Five years pass, older devices are replaced... "everyone" now has OS-embedded TOTP.
The use of TOTP and hardware keys has traditionally been limited to high-value assets - corporate and government systems where employee behavior can be enforced, and high-net-worth individuals. There's a high cost to disseminating and administering hardware keys, and a customer support cost to implementing software-based TOTP. While I expect more and more consumer institutions will implement TOTP as an "enhanced security option," it would be many years before the broad population is sufficiently equipped and educated to make it mandatory.
In the meantime, the current "standard" can be improved. Why scoff at those attempts?
The one similar that bugs me to now end is with Apple themselves. I'm trying to do something with Apple on my iPhone, and it sends me a 2FA code on the iPhone I am trying to get in on. Why can't it transfer the code like with other messages since I can't keep the code on my screen and enter it. I need to remember and quick enter it before I forget.
It is funny Apple would suggest this, because Apple uses its own two factor authentication system that utilizes Apple device popups only rather than text
The problem is when you build a site for the public, you realize that you can't replace SMS. SMS is identity-based, specifically, you get access to your phone number based on (hopefully) the carrier checking your government-issued ID. That doesn't hold for a token or authenticator.
Consider the case somebody loses their phone. What if they keep their USB token in their purse and it gets stolen? What if their house burns down?
A security person is going to say that they should print a recovery code and lock it up, but you know when you ask the public to do that, all you're going to get is a bunch of account lockouts.
If you have a company or government infrastructure that uses tokens, you don't have that problem, because your administrator verifies your ID and recovers it for you.
I agree this is an issue, but it's solvable.
At the very least, you can offer one-time 2FA bypasses by verifying identify in some other much rigorous and inconvenient way. For example, having the person submit a copy of their drivers license and charging a nominal fee to their credit card. Or, you can allow a one-time SMS-based 2FA once you've verified that the person is in actual possession of their phone and the sim hasn't been jacked.
I understand that from a support standpoint all of that is more expensive. But security has a cost, right?
What I don't accept is that we standardize around a method that is known to be insecure - SMS.
Capital punishment for hackers and scammers. That will solve the need for this.
Last edited by a moderator:
Those all have difficulties. One is international: there are hundreds of formats of IDs in the US alone and you lose all the security features when they're imaged. People in many poorer countries may not even have government ID. What if somebody signed up to their account with a false name (for anonymity), a nickname, a maiden name?
Credit card charges are very insecure: they don't actually tell you whether the name is correct. The credit card company runs risk management and may deny a charge based on risk criteria. They may see just $1 and authorize it without question. Then add countries like China where citizens use PayPal-like services (Alipay). And countries where people don't have bank accounts period.
It's easy to dream up secure systems, but when you look into implementation details, especially to a public service, they rapidly fall apart. SMS is so prevalent because it's so universal.
That's no longer true in iPhones with Face ID. The preview doesn't show the message unless Face ID authenticates the person looking at the phone that was locked.
I ended up leaving my credit union because they refuse to implement *any* form of 2FA. At my current bank I haven't entered my cell phone because I don't want SMS used for 2FA. They use my email instead.
Ever(y) so often Apple comes up with something that takes me back in time to 2013 and goes like, "Can't innovate anymore, my a**!"
This isn't really the attack vector the second factor is for. It is more about "something you have". Just look at security keys like YubiKey, which are way more secure than SMS or app based TOTP but yet the device itself is the second factor.