Apple Engineers Propose Standardized Format for SMS One-Time Passcodes

Apple WebKit engineers have put forward a proposal to make one-time passcode SMS messages more secure by developing a standardized format for the two-step verification process, reports ZDNet.


Two-step verification logins require a user's password and another element that only the user would know – in this case, a one-time code sent via text message – to gain access to an online account.

As it stands, these SMS messages can arrive in a variety of formats, making it difficult or impossible for apps and websites to detect them and automatically extract their information.

Apple's proposal has two goals. The first is to introduce a way that one-time passcode SMS messages can be associated with the website, by adding the login URL inside the message itself.

The second goal is to standardize the format of the SMS messages, so that browsers and other apps can identify the incoming message, recognize the URL, and then extract the OTP code for automatic insertion into the appropriate login field on the website.

The idea behind automating OTP entry is that it eliminates the risk of users falling for a scam and entering an OTP code on a phishing site with a different URL.

Apple developers provided the following example of the new format SMS message for OTP codes:

747723 is your WEBSITE authentication code.
@website.com #747723

The first line is intended for the user, enabling them to determine the website that the SMS OTP code came from, while the second line is processed by browsers and apps so that they can automatically extract the OTP code and complete the 2FA login operation.

If auto-complete fails, users will be able to check the URL of the website that sent the text against the site they're trying to log in to.

According to the report, Google Chrome engineers are already on board with Apple's proposal, but Mozilla's Firefox team have yet to provide official feedback on the standard.

The new proposals would add another layer of security to Apple's existing security code autofill feature, introduced in iOS 12, that can detect one-time passcodes in Messages and display them conveniently above the user's keyboard.

Top Rated Comments

(View all)
Avatar
17 weeks ago
The way iOS captures the text code and fills it automatically is so convenient. It’s one of those little features that just makes things a bit easier and I smile every time it does it.
Score: 36 Votes (Like | Disagree)
Avatar
17 weeks ago
now work on auto deleting those messages after 10 minutes.
They pile up.
Score: 21 Votes (Like | Disagree)
Avatar
17 weeks ago


Way to solve the problems of 10 years ago. Apple used to be more forward looking than this.

If the problems of ten years ago aren’t solved yet that makes them the problems of today.

I could likely get my mother to use 2FA by sms but I’d never be able to convince her of carrying around an Authenticator device or using a keygen app. If we have the opportunity, shouldn’t we refine all options?
Score: 12 Votes (Like | Disagree)
Avatar
17 weeks ago
2FA using SMS is better than nothing, but is not very secure because of how SMSs can be intercepted.

If Apple is pushing for standards, why not standardize a proper 2FA protocol (e.g., OATH) and require all smartphones to have a standard compatible authenticator app built-in?

Indeed, I bet Apple could do it by themselves if they just bundle a 2FA app into iOS using a common open protocol. It's hard to get users to downloading Authy or similar app, but if its built-in it will take off. Service providers will be incentivized to adopt that protocol so their 2FA can be native in iOS, and the Androids will copy Apple as they always do.
Score: 5 Votes (Like | Disagree)
Avatar
17 weeks ago
It’s a very Apple like proposal - it just works.


The way iOS captures the text code and fills it automatically is so convenient. It’s one of those little features that just makes things a bit easier and I smile every time it does it.

Score: 5 Votes (Like | Disagree)
Avatar
17 weeks ago
Yes please! I hate it when making a payment, your bank sends the text but you can only copy the entire message as a whole so you have to remember it. And the code expires after a few seconds.

Actually, not being able to select and copy text from messages is extremely annoying, like when someone sends you someones phone number or email address but doesn't leave a space before and after it... The bane of my existence.
Score: 4 Votes (Like | Disagree)

Top Stories

'This App is No Longer Shared' iOS Bug Preventing Some Apps From Opening

Friday May 22, 2020 3:58 pm PDT by
An app bug is causing some iOS users to be unable to open their apps, with affected iPhone and iPad users seeing the message "This app is no longer shared with you" when attempting to access an app. There are multiple complaints about the issue on the MacRumors forums and on Twitter from users who are running into problems. A MacRumors reader describes the issue:Is anyone else experiencing...

Apple Reissuing Numerous iOS App Updates, Potentially Related to Recent 'This App is No Longer Shared' Bug

Sunday May 24, 2020 9:13 pm PDT by
Over the past few hours, a number of MacRumors readers have reported seeing dozens or even hundreds of pending app updates showing in the App Store on their iOS devices, including for many apps that were already recently updated by the users. In many cases, the dates listed on these new app updates extend back as far as ten days. Apple has not shared any information as to why updates for...

Top Stories: Apple Glass and iPhone 12 Rumors, iOS 13.5 Update, and More!

Saturday May 23, 2020 6:00 am PDT by
It was another big week for rumors this week, with a flurry of reports about Apple's augmented reality glasses, the iPhone 12, and Apple's "AirPods Studio" over-ear headphones. This week also saw the release of iOS 13.5, bringing a number of health-related updates to Apple's mobile devices. Subscribe to the MacRumors YouTube channel for more videos. Other topics of interest this week included ...

Apple's 'Bounce' AirPods Ad Wins 'Best of Advertising' Award

Friday May 22, 2020 10:09 am PDT by
Apple's creative "Bounce" ad designed to highlight the AirPods took top honors in the 99th annual ADC (Art Director's Club) awards for advertising, earning the "Best of Discipline" award along with two Gold Cube awards in the craft in video and branded content categories. Released in June 2019, the ad features a bored man who pulls his AirPods off of their wireless charging pad and then pops ...

Jailbreak Tool 'unc0ver' 5.0 Released With iOS 13.5 Compatibility

Sunday May 24, 2020 3:06 pm PDT by
The team behind the "unc0ver" jailbreaking tool for iOS has released version 5.0.0 of its software that claims to have the ability to jailbreak "every signed iOS version on every device" using a zero-day kernel vulnerability by Pwn20wnd, a renowned iOS hacker. The announcement comes just days after it was announced that the tool would soon launch. The unc0ver website highlights how the tool...

Apple's 'AirPods Studio' Over-Ear Headphones Have Reportedly Kicked Off Production

Friday May 22, 2020 7:03 am PDT by
We've been hearing quite a bit recently about Apple's long-rumored over-ear headphones, said to be called "AirPods Studio," and it looks like a launch may be coming in the relatively near future. Artist mockup based on Beats Studio3 Rumors have generally suggested a summer or fall launch for AirPods Studio, with a report earlier this week claiming that suppliers in Vietnam will begin...

Future AirPods to Include 'Ambient Light Sensors' Possibly Related to Rumored Health Features

Monday May 25, 2020 2:53 am PDT by
Apple is reportedly looking to integrate light sensors in a new model of AirPods in the next couple of years, according to a new report today, suggesting their use could be part of rumored upcoming health monitoring features in the true wireless earbuds. In a paywalled article, DigiTimes reports that ASE Technology could be involved in manufacturing the sensors: Apple is expected to...

'Apple Glass' Rumored to Start at $499, Support Prescription Lenses, and More

Tuesday May 19, 2020 6:30 am PDT by
Front Page Tech host and leaker Jon Prosser today shared several alleged details about Apple's rumored augmented reality glasses, including an "Apple Glass" marketing name, $499 starting price, prescription lens option, and more. The marketing name will be "Apple Glass" The glasses will start at $499 with the option for prescription lenses at an extra cost There will be displays in both...

Former iOS Chief Scott Forstall Shares Intriguing Story of His Interview With Steve Jobs at NeXT

Friday May 22, 2020 4:01 am PDT by
Former Apple executive and iOS chief Scott Forstall made a rare public appearance this week at Code.org's virtual Code Break event, and in between classes, Forstall shared the intriguing story of how he was hired by Steve Jobs. Forstall revealed that he had been considering working at Microsoft when he went to interview at NexT, the company started by Jobs after he had left Apple. Forstall...

Apple Memorial Day Deals: Shop the Best Apple Accessory Sales From Twelve South, eBay, Anker, Mophie, and More

Friday May 22, 2020 6:39 am PDT by
We're now just a few days away from Memorial Day on Monday, May 25, and numerous retailers have opened up discounts in celebration of the holiday. This includes sales on helpful Apple-related accessories like Anker's portable batteries, Beats headphones at eBay, Incase and Incipio's protective iPad and iPhone cases, Mophie's iPhone battery cases, JBL's Bluetooth speakers, and much more. Note:...