Apple Changes 2FA Autofill Behavior When Receiving SMS Codes
If you have two-factor authentication enabled on your Apple account you’re probably familiar with the codes you receive via SMS message.
Those codes allow you to log into your Apple ID and if you’re on an iPhone, iPad, or Mac, that code will automatically be entered for you or pop up in the QuickType bar. Now, Apple has changed the SMS messages themselves to ensure that autofill only works on real websites.
The move prevents people from phishing you by creating websites that look like Apple’s and it does that by adding an identifier to the message itself. Here’s how Macworld breaks it down.
The format generally looks like this:
A standard human-readable message, including the code, followed by a new line.
The scoped domain as @domain.tld.
The code repeated again as #123456.
If the site uses an embedded HTML element, called an iframe, the source of the iframe is listed after %, such as %ecommerce.example. (The original spec specifies @; Apple appears to be using % for its texts.)
That means that any website address that isn’t in the SMS body will not work with autofill. In this instance, it’s Apple’s website, but others could also take advantage of the same change for their own websites and services.
While none of this is foolproof and people could still enter the code manually and be duped that way, it’s still a start. Ideally nobody would use SMS-based two-factor authentication in the first place of course, but at least this is better than the way things were done before.