Is Apple moving to standardize the SMS OTP format?
Ever wondered how an SMS OTP appears in your keyboard right when you need it?
Two-Step Verification (2SV), or Two-Factor Authentication (2FA), is an added layer of security and is fulfilled by One-Time Password (OTP) is sent to confirm the online action. Usually, this is sent as an SMS to the mobile number allocated to an account. These days, users rarely have to enter their SMS messages on their phone to access an OTP, it just appears in their keyboard automatically. This is called SMS OTP retrieval.
Related: 'Avoid identity theft with SMS OTP'
The SMS OTP format proposal
Apple (WebKit) engineers have put forward a plan to standardize the format of SMS OTP to ensure retrieval is efficient and secure. The project focuses on building a uniform layout for SMS OTP retrieval and autofill capabilities across devices.
"Adoption of this proposal could improve the number of services on which a browser can offer assistance with providing SMS one-time codes to websites (e.g. an AutoFill feature), and could reduce the odds users would enter one-time codes delivered over SMS on sites other than the originating one," says Theresa O'Connor, the author of 'Delivering origin-bound one-time codes over SMS' WebKit explainer.
What would Apple's new SMS OTP template look like?
According to the WebKit explainer, the SMS OTP format will include two components: one line for human-users and the second line for human-users and apps/browsers. This will assist SMS OTP catchers in pulling the correct information and associating it with the right website/app.
For example:
050505 is your WEBSITE verification code.
@website.com #050505
Will this change affect Android's SMS OTP retrieval?
No need to memorize codes or switch between apps; SMS OTP retrieval is a program that runs in the background that works as a filter and OTP puller. Between Android and iOS, SMS OTP retrieval formats currently coexist harmoniously. If Apple decides to change up the standardized format, will this affect Google's current standard?
Related: 'Five Key Business Learnings From Elon Musk'
Android currently uses SMS Retriever API to filter SMS OTPs using a specific format. An example of Google's SMS Retriever API message format:
<#> SampleTech: Your authentication code is 987654 QbwS0t12oP
The format must include:
- <#> at the start of the message - this indicates to the API that the message as an OTP SMS
- Hashcode to close the message - this passes the SMS OTP over to the respective app. Command Prompt or AppSignatureHelper class can assist with generating Hashcode, but be aware of additional code that comes with AppSignatureHelper class - be sure to exclude it before publishing.
Apple currently filters SMS OTPs with Security Code Autofill. This system does not use a specific format to filter out OTPs; instead, it utilizes data detector heuristics to identify OTPs in SMS. Security Code Autofill looks for words like 'code' or 'passcode' followed closely by the OTP code sequence. Examples of iOS OTP message formats:
- Your SampleTech code is 987654
- SampleTech: Votre code est 987654
- SampleTech passcode: 987654
The new proposal aims to eliminate the reliance on heuristics for SMS OTP extraction as well as increase security by reliably associating OTPs intended for a website with that specific site. All while upholding the privacy of SMS message content. Ideally, this will reduce the need for end-users to manually copy and paste, or memorize, one-time codes from an SMS. OTPs sent by a website should only be entered on the same site that it was sent from, and this proposal addresses this with the inclusion of the website name and URL.
According to ZDNet, Google's Chromium engineers are currently on board with the proposed format, alongside Apple's WebKit engineers. However, Mozilla Firefox has not yet officially commented on the proposal.
Related: 'Why Mobile Wallets Need To Evolve'
Learn more about how to take full advantage of SMSGlobal's SMS OTP APIs and integrations, and enhance your cybersecurity with 2FA.