Apple engineers on Thursday proposed to standardize the format of the SMS messages containing one-time passcodes (OTP) that users receive during the two-factor authentication (2FA) login process.
An SMS OTP (one-time password) is a secure authorization method where a numeric or alphanumeric code is sent to a mobile number. This password is an added layer of security used to verify the identity of a user logging into an online platform, application or website.
Commonly used by banks, insurance companies and online retailers, one-time passwords help ensure the security of your customers valuable data and information.
The proposal comes from Apple engineers working on WebKit, the core component of the Safari web browser.
The proposal has two goals. The first is to introduce a way that OTP SMS messages can be associated with an URL. This is done by adding the login URL inside the SMS itself.
The second goal is to standardize the format of 2FA/OTP SMS messages, so browsers and other mobile apps can easily detect the incoming SMS, recognize web domain inside the message, and then automatically extract the OTP code and complete the login operation without further user interaction.
By doing this, the process of receiving and entering a one-time passcode could be automated, eliminating the risk of a user falling for a scam and entering an OTP code on a phishing site, with the wrong URL.
MacDailyNews Take: This seems like it would be much better for both security and convenience. Read Apple’s brief proposal via GitHub here.
Best practice would be to use an Authenticator app. If you can. SMS OTP can be hacked pretty damn easily.