Apple WebKit engineers have proposed to make one-time passcode SMS messages more secure by developing a standardized format for the two-factor authentication (2FA) login process.
Two-step verification for logins requires both a user’s password and another bit of information that only the user would know – in this case, a unique code sent via SMS text message – to gain access to an online account.
ZDNet reports Apple’s proposal has two goals. The first is to introduce a way that one-time SMS messages can be associated with a website, which can be accomplished by adding the login URL inside the SMS itself.
The second goal is to standardize the format of 2FA/OTP SMS messages, so browsers and other mobile apps can identify the incoming SMS, recognize the URL inside the message, and then automatically extract the OTP code, completing the login operation without further user interaction.
Currently, SMS messages used in the process can arrive in a variety of formats, making it difficult for apps and websites to detect them and extract their information.
The reasoning behind automating OTP entry is to eliminate the risk of a user being duped into entering an OTP code on a phishing site that has a different URL.
The new proposal includes an example of the new SMS format for OTP codes:
747723 is your WEBSITE authentication code.
@website.com #747723
The first line allows users to determine which website the SMS OTP code came from, while the second line is processed by browsers and apps to automatically extract the OTP code to complete the 2FA login process.
If there’s a mismatch and the auto-complete operation fails, users will be able to see the website’s actual URL and compare it to the site they’re trying to login. If the two do not match, users will be alerted that they’re actually on a phishing site and abandon their login operation.
Google Chrome engineers are reportedly on board with Apple’s proposal. However, the Mozilla Firefox team has yet to provide official feedback on the proposal.