Apple Webkit Engineers Unveil Proposal To Make Sms One Time Passcodes More Secure

Apple’s WebKit team is proposing a change to the format of SMS one-time passcodes. The WebKit team’s hope is to make the two-factor authentication process more secure, and the proposal outlines two goals to help achieve that.

ZDNet details the proposal, which was shared by Apple engineers on GitHub this week. The first goal is to make it possible for SMS one-time passcodes to be associated with a URL. To do this, Apple engineers propose adding the login URL to the SMS itself.

Part two of the proposal centers on standardizing the format of two-factor authentication SMS passcodes. This would allow browsers and mobile applications to detect the one-time passcodes and recognize the domain. From there, the browser or app could “automatically extract the OTP code and complete the login operation without further user interaction.”

Thus far, both Google and Apple engineers have backed the proposal. Mozilla has not yet commented on the proposal.

Below is the format of SMS one-time passcodes that Apple’s WebKit engineers propose. The first line is meant for users to recognize where the message is coming from, while the second line is for the website or app to read and complete the verification:

747723 is your WEBSITE authentication code.

@website․com #747723

ZDNet has more explanation on how this could work, particularly in regards to preventing phishing attacks:

With iOS 12, Apple added a new security code auto-fill feature, which automatically reads SMS one-time passcodes and fills them in on the originating site. This new proposal takes things to the next level, with a particular focus on improving security and adding one more layer of protection for users against potential phishing attacks.