Apple's SMS one-time passcode proposal moves forward with help from Google

Apple's effort to develop a standardized format for one-time passcodes sent through SMS messages is moving forward with the help of Google engineers, as the proposal this month garnered official status as a Web Platform Incubator Community Group (WICG) specification draft.

Announced in an updated GitHub explainer, an initial report of Apple's "Origin-bound one-time codes delivered via SMS" project was published by the WICG on April 2. The draft was co-edited by Theresa O'Connor from Apple and Sam Goto from Google.

First proposed by Apple WebKit engineers and backed by Google in January, the initiative seeks to simplify the OTP SMS mechanism commonly used by websites, businesses and other entities to confirm login credentials as part of two-step authentication systems.

While many websites and online services use OTP over SMS, a standardized method of formatting incoming messages text does not exist. As such, "programmatic extraction of codes from [SMS messages] has to rely on heuristics, which are often unreliable and error-prone. Additionally, without a mechanism for associating such codes with specific websites, users might be tricked into providing the code to malicious sites," the WICG publication notes.

Currently, users must manually input provided passcodes into a text field on a host website. Apple wants to push the status quo with a more refined solution that would also provide a higher degree of security.

Using a "lightweight text format," the proposed format embeds an actionable one-time code in an SMS message and links that code to an originating URL. The recipient system can then extract the code and log in to an associated website automatically.

An example OTP SMS:

747723 is your [website] authentication code.
@website.com #747723

ZDNet reported on the WICG development on Tuesday.

"This proposal attempts to reduce some of the risks associated with SMS delivery of one-time codes," the explainer reads. "It does not attempt to reduce or solve all of them. For instance, it doesn't solve the SMS delivery hijacking risk, but it does attempt to reduce the phishing risk."

Publication as a WICG specification draft does not necessarily mean Apple's protocol will see mass deployment, but it does show the project is moving forward.

24 Comments

seanismorris 9 Years · 1624 comments

About 4 years ago

I’ll use it when required, but I worry

OTP over SMS gives a false sense of security. SMS isn’t secure.

Making

OTP over SMS more convenient doesn’t solve the underlying problem. SMS needs to be replaced with a new standard, rather than putting lipstick on a pig.

Xed 5 Years · 3016 comments

How much better is this 2FA over nothing at all? Probably a little because it means the bad actors need to do more work to access your accounts, but SMS isn't secure. I'd much rather see Apple include an authenticator app option for iCloud and in their iCloud Keychain, and then push authenticator apps as the best option for everyone.

1 Like · 0 Dislikes

fastasleep 15 Years · 6459 comments

Here's something I don't understand. Why does Apple's 2FA send a login notice and code to the same device you're trying to log into something with (ie your iCloud or Apple Support account etc). Doesn't that defeat the purpose, even if it is a "trusted device"?

4 Likes · 0 Dislikes

fastasleep said:

Here's something I don't understand. Why does Apple's 2FA send a login notice and code to the same device you're trying to log into something with (ie your iCloud or Apple Support account etc). Doesn't that defeat the purpose, even if it is a "trusted device"?

The trusted device is to help "prove" that they are fairly certain that the owner of the device is logging in. This is because it's an internet-facing access point, which means that someone in Russia can't simply obtain your email and password from the dark web to access your account. That means they'd the to also have to go through the effort to spoof your SMS (i.e.: trick carrier into thinking they're the user) so they can pretend to your device when Apple sends a 2FA code to your phone number. Unless you're being targeted directly this is usually too much trouble.

3 Likes · 0 Dislikes

Xed said:

fastasleep said:

Here's something I don't understand. Why does Apple's 2FA send a login notice and code to the same device you're trying to log into something with (ie your iCloud or Apple Support account etc). Doesn't that defeat the purpose, even if it is a "trusted device"?

The trusted device is to help "prove" that they are fairly certain that the owner of the device is logging in. This is because it's an internet-facing access point, which means that someone in Russia can't simply obtain your email and password from the dark web to access your account. That means they'd the to also have to go through the effort to spoof your SMS (i.e.: trick carrier into thinking they're the user) so they can pretend to your device when Apple sends a 2FA code to your phone number. Unless you're being targeted directly this is usually too much trouble.

I meant the macOS dialog that pops up with the map that says "Someone is trying to log into your account, do you want to allow them" and then provides the 6 digit code to enter in Safari. So I literally drag the modal window from covering up the 6 digit fields and type in the number. I get that it prevents someone from logging in elsewhere, but let's say someone snatched my Mac while it wasn't locked and they were then able to get into iCloud.com or anything else that uses that 2FA system. The alternative would be, send that modal to every other device on your list so I'd have to get the code from my iPhone or iPad, etc.