Apple WebKit engineers detailed this week on GitHub their vision for the future of unique passwords sent by SMS. Sometimes constraining to use, these could soon gain in practicality, while being safer thanks to URLs contained directly in the SMS.
The Apple WebKit team has big plans for one -time passwords sent by SMS. On GitHub , engineers from the giant of Cupertino proposed to change the format of these messages. The objective? Simplify the identification with two factors, reinforce its security… and perhaps make it a little more practical than it is at present. To do this, Apple WebKit wishes in particular to link these codes conveyed by SMS to a URL referring with a single click to the login page.
SIMPLIFY USER LIFE WHILE FURTHER LIMITING THE RISK OF PHISHING
This measure is accompanied by a second, more ambitious proposal: standardizing the format of these codes in order to allow mobile applications as well as browsers to identify them as single-use passwords and to recognize the corresponding domain. A novelty that would allow applications or browsers “ to automatically extract the OTP code and complete the identification without resorting to any other user interaction ”, we read on GitHub.
Interestingly, engineers from Google and Apple jointly support this project, says 9to5Mac , while Mozilla has not yet taken a stand on the issue. The fact that Google and Apple agree on what to do in any case gives hope for the rapid adoption of this new standard. We indeed know the striking force of the two firms when it comes to imposing on third-party services measures that they put in place… this, therefore, augurs well.
AN SMS CAPABLE OF BEING INTERPRETED BY AN APPLICATION OR A BROWSER
Concretely, this new SMS standard would be broken down as follows, in two lines. The first is for the user, who would see the one-time password and the site for which it is intended (here “ FooBar ”, in the example taken by Apple engineers). The second takes the form of a reduced URL, capable of being interpreted automatically by an application or a browser. The user would only have to click on it to connect. Nothing else to do, since authentication will then be done without its intervention, thanks to an autocompletion system.
Credit: Apple WebKit via GitHub
ZDNet , which has also looked into the proposal made by Apple HomeKit on GitHub, explains for its part what will happen in the event of a phishing attempt.
“ Applications and browsers will automatically extract the OTP code and perform the 2FA connection operation, ” explains the specialized site. “ If there is a mismatch and the autocompletion fails, users will be able to see the actual website URL and compare it to the site they are trying to log in to.” If the two are not identical, they will then be warned that they are actually on a phishing site and may abandon the connection process . ”
Note that this improved connection method echoes a feature added by Apple to iOS 12, which already allows the interpretation of a one-time password provided by SMS… and its assisted filling in the field required for identification to two factors. Apple is clearly determined to go further in this process. Report a text error