Apple's WebKit engineers are working on a standardized format for SMS messages containing one-time passcodes, an initiative that could one day better protect users by streamlining two-step authentication logins.
Posted to GitHub on Thursday, the proposal from Apple seeks to simplify the OTP SMS mechanism commonly used by websites, businesses and other entities to confirm login credentials as part of two-step authentication systems, reports ZDNet.
Two-step solutions require a user's password and another element, in this case a one-time code sent over SMS, to gain access to a target account. Currently, it is difficult to impossible for software to automatically extract the necessary information from an OTP SMS message, as they can arrive in a range of text formats. This means users must manually enter the provided code into an input box.
Apple's proposal seeks to eliminate user intervention in the OTP SMS process, namely copy-and-pasting one-time codes from messages into a browser. It also states that a more refined solution would ensure that one-time codes sent over SMS are used only on originating sites.
Using a "lightweight text format," the proposed format embeds an actionable one-time code in an SMS message and links that code to a particular originating URL. Doing so allows recipient systems to automatically extract the code and log in to an associated website.
Apple provides an example SMS:
747723 is your [website] authentication code.
The first line in the message above is optional human-readable text to explain the incoming message, while the second line contains information for programmatic use. Special characters are employed to denote the one-time code and originating URL, which in this case is "747723" and "website.com," respectively.
Apple and Google have signed on to the proposal, while Mozilla has not made an official statement on the standard, the report said.
For its part, Apple has moved its products from two-step verification to more secure two-factor authentication methods that rely on passcodes sent to pre-enrolled trusted devices.