Apple wants to standardize the format of SMS OTPs (one-time passcodes)

WebKit team proposal aims to improve the security of one-time passcodes sent to users via SMS.
Written by Catalin Cimpanu, Contributor

Apple engineers have put forward a proposal today to standardize the format of the SMS messages containing one-time passcodes (OTP) that users receive during the two-factor authentication (2FA) login process.

The proposal comes from Apple engineers working on WebKit, the core component of the Safari web browser.

The proposal has two goals. The first is to introduce a way that OTP SMS messages can be associated with an URL. This is done by adding the login URL inside the SMS itself.

The second goal is to standardize the format of 2FA/OTP SMS messages, so browsers and other mobile apps can easily detect the incoming SMS, recognize web domain inside the message, and then automatically extract the OTP code and complete the login operation without further user interaction.

By doing this, the process of receiving and entering a one-time passcode could be automated, eliminating the risk of a user falling for a scam and entering an OTP code on a phishing site, with the wrong URL.

According to the new proposal, the new SMS format for OTP codes would look like below:

747723 is your WEBSITE authentication code.
@website.com #747723

The first line is intended for human users, allowing them to determine from what website the SMS OTP code came from.

The second line is for both human users but also for apps and browsers.

Apps and browsers will automatically extract the OTP code and complete the 2FA login operation. If there's a mismatch and the auto-complete operation fails, human readers will be able to see the website's actual URL, and compare it to the site they're trying to login. If the two are not the same, then users will be alerted that they're actually on a phishing site and abandon their login operation.

Currently, Apple (WebKit) and Google (Chromium) engineers are already on board with the proposal. Mozilla (Firefox) has not provided an official feedback on the standard yet.

Once browsers will ship components for reading SMS OTP codes in this new format, major providers of SMS OTP codes are expected to switch to using it. As of now, Twilio has already expressed interest in implementing the new format for its SMS OTP services.

The most dangerous iOS, Android malware and smartphone vulnerabilities of 2019

Editorial standards