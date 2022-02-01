Search here...
Apple, tweaks to 2FA on iOS, macOS and iPadOS in the name of security

If you have received a SMS containing a temporary password from Apple as part of a two-factor authentication process, you may have found that the content of the message is slightly different from the past. In addition to the text message and the code itself, there are some additional words at the bottom such as “@ apple.com” or “% apple.com”. It is part of an initiative to increase the security of two-factor authentication – specifically to protect you from phishing attempts. Apple announced these new specs as part of iOS some time ago (details are on GitHub), and has been implementing them firsthand since November 2021.


Specifically, what changes is the behavior of the autocomplete. When performing a two-factor authentication procedure, the operating system can automatically copy the code contained in the SMS, to show it among the keyboard quick tips or in other areas that, ultimately, make it easier for the user to enter the code in the confirmation form. The new format implies that these facilities will only work if the domain specified in the SMS coincides with the one the user is browsing. To use the example above: the message says that the OTP (One-Time Password) is only valid for apple.com, so if I am on microsoft.com the code will not be suggested.

Adobe Lightroom is now optimized for Apple Silicon Macs

MORE SAFETY

Microsoft.com is an absurd example, of course, but let’s imagine a phishing attempt a little advanced. There are scam sites that manage to bypass even 2FA: when the user enters the credentials on the fake site, he immediately tries to authenticate himself on the legitimate site. At this point the original site sends the SMS to the user with the temporary verification code. Fake site shows code entry screen. This is where the new security measure comes into play: in the meantime, if the SMS contains the domain from which it comes and on which it is intended to be used, it is an additional tool available to the user to notice the trap; second, without automatic completion the user has a harder time completing the procedure, and perhaps that is enough to sound an alarm bell.

All legitimate service providers where two-factor authentication is provided therefore have an advantage to upgrade to the new format implemented by Apple (compatible with iOS 15, iPadOS 15, macOS 11 Big Sur and later), because otherwise the autocomplete it no longer works for anyone. To clarify, the user has no say in the process: Apple has implemented a new standard and it is up to the service providers to decide whether to comply or not.

