Apple’s two-factor verifications have greatly increased security for users. Now Apple wants to make the process more streamlined by standardizing the format of SMS messages which contain one-time passcodes.
Apple WebKit engineers explained the proposal on online code repository GitHub. Alongside Apple, the project also has the support of Google Chromium engineers. Mozilla’s Firefox has yet to get on board.
On the GitHub page, Apple starts by laying out the problem:
“Suppose a user receives the message ‘747723 is your FooBar authentication code.’ It’s possible, even likely, that 747723 is a one-time code for use on https://foobar.com. But because there is no standard text format for SMS delivery of one-time codes, systems which want to make programmatic use of such codes must rely on heuristics, both to locate the code in the message and to associate the code with the relevant website (origin). Heuristics are prone to failure and may even be hazardous.”
Making one-time passcodes easier
The goal is that users shouldn’t have to manually copy-and-paste one-time codes into their browsers. This could be done in an automated way, with browsers recognizing both the one-time code and the source of the code. It would then be able to extract the right information and enter it automatically. It would do this without exposing the contents of SMS messages to websites.
To get around this, Apple proposes a lightweight text format that services can adapt for such messages. This would start with an optional human-readable text. After that, both the code and the source of the authentication code could be automatically sorted without users having to do this. As Apple notes, the mobile or desktop browser could “automatically extract the OTP code and complete the login operation without further user interaction.”
It’s not clear when this feature might debut. But with the combined support of Apple and Google behind it, hopefully it won’t be too much longer.