Apple’s two-factor authentication autofill feature now blocks SMS phishing attacks

Apple’s two-factor authentication autofill feature makes it easy to enter verification codes sent via SMS, but phishing attackers have begun to exploit this via fake links to sites that prompt for an SMS code, so it looks kosher to users when autofill offers to paste it the code.

Apple's two-factor authentication autofill feature now blocks SMS phishing attacks

Apple has done some work to fix this issue.

Ben Lovejoy for 9to5Mac:

Apple is now guarding against this by asking companies to send SMS codes in a new, more secure format.

With this format, your devices will only offer to autofill a verification code if the domains match. For example, if the site claims to be apple.com but the phishing link is to apple.securelogin.com, then you won’t be offered the autofill option.

The new format, which you may have started to see from late last year, looks like this:

Your Apple ID Code is: 123456. Don’t share it with anyone. @apple.com #123456 %apple.com

MacDailyNews Take: So, take note of those domains and make sure they match before pasting in verification codes via autofill.

Please help support MacDailyNews. Click or tap here to support our independent tech blog. Thank you!

Shop The Apple Store at Amazon.

[Thanks to MacDailyNews Reader “Fred Mertz” for the heads up.]

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.