Wednesday, August 5, 2020

Apple's making SMS-based one-time passcodes secure by tying them to domains

What you need to know

  • Apple is making SMS-based one-time passwords more secure.
  • Those passwords can be tied to a particular domain.
  • That means Safari will check the codes came from a legit source.

Safari will only AutoFill if the domain matches.

Way back in January Apple's WebKit team suggested a new format for SMS one-time passcodes that would make them more secure. Now, Apple has announced that developers can already take advantage of the feature in a new post to its developer website.

According to the post, Apple will now allow developers to associate their one-time passcodes with a domain, allowing Safari on iPhone, iPad, and Mac to check the code is associated with the correct domain before offering to use AutoFill.

Apple calls this new feature "domain-bound codes" and it should prevent fake codes from being generated and then auto-filled by Safari.

When you use a domain-bound code, AutoFill will suggest the code if — and only if — the domain is a match for the website or one of your app's associated domains. For example, if you receive an SMS message that ends with @example.com #123456, AutoFill will offer to fill that code when they interact with example.com, any of its subdomains, or an app associated with example.com. If instead you receive an SMS message that ends with @example.net #123456, AutoFill will not offer the code on example.com or in example.com's associated app. This makes it harder for an attacker to trick someone into entering one-time codes into a phishing site.

Apple notes that this move doesn't mean standard codes will no longer be supported, however. They will be, but it does suggest that developers take advantage of the new domain-bound codes as well.

While iOS and macOS will also display regular SMS-delivered codes in addition to domain-bound codes, we encourage everyone employing this authentication method to adopt this standard to provide a more secure experience for people on your website or app. If a message contains no domain information, it will continue to be offered in all relevant fields through AutoFill.

All of this kicks in when iOS 14, iPadOS 14, and macOS 11 Big Sur arrive this fall.

Developers can learn more about implementing the new codes on Apple's developer portal.


Apple's making SMS-based one-time passcodes secure by tying them to domains posted first on http://bestpricesmartphones.blogspot.com
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)