Share:

Google Backs Apple’s SMS One-Time Passcode Proposal for Two-Factor Authentication

Share:

Google is now backing a standard proposed by Apple engineers in January to create a default format for one-time passcodes (OTP) sent via SMS to users during the two-factor authentication (2FA) process.

We depend on one-time passwords (OTP) a lot for logging into online banking accounts, social media, and other internet-based services. And it’s tough to switch to the messaging app to read the SMS and switch back to the app and enter the OTP to log in. However, Google is supporting an Apple-backed standard SMS OTP format, which would make things easier.

Now, according to an updated GitHub explainer, the format, originally proposed by Apple engineers working on the Safari WebKit project, has now reached the status of official Web Platform Incubator Community Group (WICG) specification draft.

While many websites and online services use OTP over SMS, a standardized method of formatting incoming messages text does not exist, explains Apple Insider. As such, “programmatic extraction of codes from [SMS messages] has to rely on heuristics, which are often unreliable and error-prone. Additionally, without a mechanism for associating such codes with specific websites, users might be tricked into providing the code to malicious sites,” the WICG publication notes.

According to the new proposal, the new SMS format for OTP codes would look like below:

747723 is your WEBSITE authentication code.
@website.com #747723

The first line is intended for human users, allowing them to determine from what website the SMS OTP code came from. The second line is for mobile apps and browsers, which will be able to extract the OTP code and finish the 2FA operation.

“This proposal attempts to reduce some of the risks associated with SMS delivery of one-time codes,” Apple and Google engineers wrote in the explainer. “It does not attempt to reduce or solve all of them. For instance, it doesn’t solve the SMS delivery hijacking risk, but it does attempt to reduce the phishing risk.”

Share: