Apple engineers think they’ve come up with a simple way to make SMS two-factor authentication (2FA) one-time codes less susceptible to phishing attacks: agree a common text format so their use can be automated without the need for risky user interaction.
The concept proposed by the company’s Safari WebKit team is that apps such as mobile browsers will automatically process SMS text codes as they are received, submitting them to the correct website.
This dodges today’s hazard that phishing websites can first fool people into entering their password and username, before asking them to submit the correct 2FA code sent to their phone to the same bogus site.
But for the idea to be feasible, three problems must be overcome.
The first of these is that today’s codes are sent in a range of text formats that makes extracting the correct 2FA data and website domain difficult.
For example, PayPal’s 2FA codes look something like this:
Your security code is 123456. You code expires in 5 minutes. Please don’t reply.
Or gaming platform Steam:
Your Steam verification code is AB1C2.
Or Facebook:
Use 123456 to login to Facebook.
And so on, with each system sending slightly different equivalents that even heuristic analysis technology struggles to interpret without making errors. The messages also rarely embed the domains to which the codes relate.
Apple’s suggestion is a lightweight text format designed to be “about as simple as it gets,” which would look like this:
747723 is your XYZ.com authentication code.
@XYZ.com #747723
The first line being used to identify the message to the recipient, the second being the part that apps would process, including the correct URL.
Users receiving one of the new 2FA texts wouldn’t have to do anything. The data would be automatically extracted by the app doing the authentication.