Google backs Apple's SMS OTP standard proposal
Google is now backing a standard proposed by Apple engineers in January to create a default format for one-time passcodes (OTP) sent via SMS to users during the two-factor authentication (2FA) process.
The standard, proposed by Apple engineers working on the Safari WebKit project, has now reached the status of official Web Platform Incubator Community Group (WICG) specification draft.
We’ve moved “Origin-bound one-time codes delivered via SMS” to @wicg_, where we’re working on a shared spec with our collaborators at Google. Please take a look!
— Ricky Mondello (@rmondello) April 3, 2020
Updated explainer: https://t.co/2D6rMI3l5E
Specification: https://t.co/fY1A6VgAn5
The proposal aims to fix some issues with the current state of SMS 2FA/OTP codes, all of which have different formats, unique per the websites sending the codes.
In January, Apple engineers came up with the idea to structure these messages and have the same identical format for all SMS 2FA operations going forward.
The primary contribution that the new standard makes is to mandate that all SMS OTP messages contain the URL of the website that has the code.
According to the new proposal, the new SMS format for OTP codes would look like below:
747723 is your WEBSITE authentication code.
@website.com #747723
The first line is intended for human users, allowing them to determine from what website the SMS OTP code came from.
The second line is for mobile apps and browsers, which will be able to extract the OTP code and finish the 2FA operation. If there's a mismatch and the auto-complete operation fails, then the user will be prompted to review the SMS and enter the code by hand.
Experts believe that mismatching errors will most likely take place during attacks with modern phishing kits that can bypass 2FA codes.
"This proposal attempts to reduce some of the risks associated with SMS delivery of one-time codes," Apple and Google engineers wrote in a revised explainer.
"It does not attempt to reduce or solve all of them. For instance, it doesn't solve the SMS delivery hijacking risk, but it does attempt to reduce the phishing risk."
However, despite the palpable security benefits, for the time being, Mozilla has not expressed any public interest towards supporting the new standard. Standard proposals have gotten stuck at the WICG before; however, Apple's proposal has received overwhelmingly positive reviews since it was put forward in January.