Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple's SMS one-time passcode proposal moves forward with help from Google

Mikey Campbell |

Apple previously relied on two-step verification for Apple ID before moving to a two-factor protocol.

Apple's effort to develop a standardized format for one-time passcodes sent through SMS messages is moving forward with the help of Google engineers, as the proposal this month garnered official status as a Web Platform Incubator Community Group (WICG) specification draft.

Announced in an updated GitHub explainer, an initial report of Apple's "Origin-bound one-time codes delivered via SMS" project was published by the WICG on April 2. The draft was co-edited by Theresa O'Connor from Apple and Sam Goto from Google.

First proposed by Apple WebKit engineers and backed by Google in January, the initiative seeks to simplify the OTP SMS mechanism commonly used by websites, businesses and other entities to confirm login credentials as part of two-step authentication systems.

While many websites and online services use OTP over SMS, a standardized method of formatting incoming messages text does not exist. As such, "programmatic extraction of codes from [SMS messages] has to rely on heuristics, which are often unreliable and error-prone. Additionally, without a mechanism for associating such codes with specific websites, users might be tricked into providing the code to malicious sites," the WICG publication notes.

Currently, users must manually input provided passcodes into a text field on a host website. Apple wants to push the status quo with a more refined solution that would also provide a higher degree of security.

Using a "lightweight text format," the proposed format embeds an actionable one-time code in an SMS message and links that code to an originating URL. The recipient system can then extract the code and log in to an associated website automatically.

An example OTP SMS:

747723 is your [website] authentication code.

@website.com #747723

ZDNet reported on the WICG development on Tuesday.

"This proposal attempts to reduce some of the risks associated with SMS delivery of one-time codes," the explainer reads. "It does not attempt to reduce or solve all of them. For instance, it doesn't solve the SMS delivery hijacking risk, but it does attempt to reduce the phishing risk."

Publication as a WICG specification draft does not necessarily mean Apple's protocol will see mass deployment, but it does show the project is moving forward.

 

Top Stories

article thumbnail

Amazon's latest Apple deals make perfect Mother's Day gifts (and prices start at just $24)

article thumbnail

Apple's macOS 15 to get rare cognitive boost via Project GreyParrot

article thumbnail

How to use Delta for iPhone to emulate retro games on your iPhone

article thumbnail

New HomePod part leak shows off glossy display cover

article thumbnail

Apple Notes in iOS 18 looks to up the ante with Microsoft OneNote

article thumbnail

When to expect every Mac to get the AI-based M4 processor

article thumbnail

Grab Apple's new M3 MacBook Air for $999