Apple has made a change to the way two-factor authentication SMS messages look in an attempt to help boost security.
Apple’s change essentially means that any time it sends you a new SMS as a form of two-factor authentication the message will only be provided for autofill on Apple services and websites thanks to the addition of a new piece of text. As reported by Macworld, the move was first proposed more than a year ago — in August 2020, to be exact.
The new messages will include more text than usual — and have already been rolling out for the last few weeks, too.
- A standard human-readable message, including the code, followed by a new line.
- The scoped domain as @domain.tld.
- The code repeated again as #123456.
- If the site uses an embedded HTML element, called an iframe, the source of the iframe is listed after %, such as %ecommerce.example. (The original spec specifies @; Apple appears to be using % for its texts.)
This whole system works in a similar way to how password managers and iCloud Keychain will only present a password on a specified website or in an associated app. This means that fake websites can’t use autofill to accept a two-factor authentication code because iOS, iPadOS, and macOS will spot that the domains don’t match.
iOS, iPadOS, and macOS offer to fill in the code most recently arrived via SMS to the Messages app in any properly formatted field—including a phishing site’s verification-code field. That makes it too easy on the scammers.
However, if the text message is scoped as Apple suggested, operating systems starting with iOS 15, iPadOS 15, and macOS 11 Big Sur will only offer to autofill on sites that match the domain name. The security isn’t perfect, but it’s a simple update to beef up defensive actions.
You still need to keep an eye on where you are clicking and what passwords you are entering, but this SMS change should at least help matters.
You can read more about how this all works in the original Macworld article, too.