Apple seeks to simplify two-step verifications with standard SMS format

AppleInsider

Apple's WebKit engineers are working on a standardized format for SMS messages containing one-time passcodes, an initiative that could one day better protect users by streamlining two-step authentication logins.

Apple previously relied on two-step verification for Apple ID.

Posted to GitHub on Thursday, the proposal from Apple seeks to simplify the OTP SMS mechanism commonly used by websites, businesses and other entities to confirm login credentials as part of two-step authentication systems, reports ZDNet.

Two-step solutions require a user's password and another element, in this case a one-time code sent over SMS, to gain access to a target account. Currently, it is difficult to impossible for software to automatically extract the necessary information from an OTP SMS message, as they can arrive in a range of text formats. This means users must manually enter the provided code into an input box.

Apple's proposal seeks to eliminate user intervention in the OTP SMS process, namely copy-and-pasting one-time codes from messages into a browser. It also states that a more refined solution would ensure that one-time codes sent over SMS are used only on originating sites.

Using a "lightweight text format," the proposed format embeds an actionable one-time code in an SMS message and links that code to a particular originating URL. Doing so allows recipient systems to automatically extract the code and log in to an associated website.

Apple provides an example SMS:

747723 is your [website] authentication code.
@website.com #747723

The first line in the message above is optional human-readable text to explain the incoming message, while the second line contains information for programmatic use. Special characters are employed to denote the one-time code and originating URL, which in this case is "747723" and "website.com," respectively.

Apple and Google have signed on to the proposal, while Mozilla has not made an official statement on the standard, the report said.

For its part, Apple has moved its products from two-step verification to more secure two-factor authentication methods that rely on passcodes sent to pre-enrolled trusted devices.

soli

Bring it on! While they're at it, I wish that websites had a simple, robots.txt-like file that would detail the password parameters so that when using a password manager to create complex, random passwords, it could look at that file to know what characters and other rules are allowed (or disallowed) before generating a unique password.

eric_wvgg

That is a really excellent idea…

I'm not so sure about Apple re-enforcing SMS as a multi-factor standard, though. SIM-jacking is real, the security standards of AT&T Verizon and Tmobile are laughable. 

fastasleep

One of my favorite newer features in iOS/macOS is the ability to auto-populate OTP codes sent via SMS in apps and Safari without having to even look at Messages. This seems like an extension of that by way of more security and standardization? 

seanismorris

Yes
Yes
Oh god
Yes

tundraboy

I thought the point of two factor authentication is that even if a bad actor gets your login credentials, he won't be able to get into your account using his own computer if he doesn't have access to your phone.  I've never really seen the point of using TFA when the website or app being protected is accessed on the same device that receives the access code.

edited January 2020

longfang

Eric_WVGG said:

That is a really excellent idea…

I'm not so sure about Apple re-enforcing SMS as a multi-factor standard, though. SIM-jacking is real, the security standards of AT&T Verizon and Tmobile are laughable. 

That’s on the carriers. It basically a tradeoff for convenience. Here to change anything on my cell phone account like shifting carriers or requesting new sim cards requires govt issued id with biometric confirmation.

seanismorris

tundraboy said:

I thought the point of two factor authentication is that even if a bad actor gets your login credentials, he won't be able to get into your account using his own computer if he doesn't have access to your phone.  I've never really seen the point of using TFA when the website or app being protected is accessed on the same device that receives the access code.

It’s the difference between ‘good’, ‘better’ and ‘best’.

For most people 2FA is a significant upgrade because they frequently reuse passwords, parts of passwords, or use things like birthdays in their passwords.  Even if it’s on the same device it’s an improvement.  If a website login is being accessed from an Apple iPad (for example) you’d need your biometric to auto fill the credentials from keychain then OTP SMS.  

Many people don’t use 2FA because they access sites from different devices.  Hopefully more people will enable it with a simple standard that’s user friendly.

You're correct though SMS isn’t the best, a hardware key would be better, but it’s more complicated for the end user to use.

warrenbuffduckh

It remains unclear what’s the benefit of using a more common ground format with lower functionality than Apple’s own proprietary iMessage format - other than letting Google share the fruits

macpro

Soli said:

Bring it on! While they're at it, I wish that websites had a simple, robots.txt-like file that would detail the password parameters so that when using a password manager to create complex, random passwords, it could look at that file to know what characters and other rules are allowed (or disallowed) before generating a unique password.

Agreed.  I have found several examples this week alone so far where web sites refuse to accept Apple's auto-generated long password.

sandor

Mostly this:

gatorguy

WarrenBuffduckh said:

It remains unclear what’s the benefit of using a more common ground format with lower functionality than Apple’s own proprietary iMessage format - other than letting Google share the fruits

"Apps and browsers will automatically extract the OTP code and complete the 2FA login operation. If there’s a mismatch and the auto-complete operation fails, human readers will be able to see the website’s actual URL, and compare it to the site they’re trying to login. If the two are not the same, then users will be alerted that they’re actually on a phishing site and abandon their login operation."

edited January 2020

fastasleep

sandor said:

Mostly this:

Strong passwords have literally nothing to do with two-step/2FA. Having both is the goal.

georgebmac

tundraboy said:

I thought the point of two factor authentication is that even if a bad actor gets your login credentials, he won't be able to get into your account using his own computer if he doesn't have access to your phone.  I've never really seen the point of using TFA when the website or app being protected is accessed on the same device that receives the access code.

I get not compromising the effectiveness of such security procedure.  But:

In practice, the authentication code is not sent to the device originating the transaction but to a pre-defined device (or id or phone number) specified to receive the code.  While the devices may or may not be the same the difference is in what sourced where the code was to be sent.

But various ways have been created to subvert that:  One way is to have the victim's phone number transferred to the perpetrator's phone so the code is diverted from the victim to the perpetrator.    Some have claimed that that makes 2 factor authentication worthless.  But, that mostly just goes to prove that no security is 100% fool proof.

For myself, I have no trouble typing in a 6 or 8 digit code if means my financial accounts are secure.   In fact, I recently changed banks to one that uses 2 factor identification partly for that reason.  But, I have to admit that getting the code on my Apple Watch makes it a lot easier -- no looking for a device because it's right there on my wrist.

elijahg

Soli said:

Bring it on! While they're at it, I wish that websites had a simple, robots.txt-like file that would detail the password parameters so that when using a password manager to create complex, random passwords, it could look at that file to know what characters and other rules are allowed (or disallowed) before generating a unique password.

Or better, enforce standards so that all websites allow all alphanumeric characters with a minimum of say 8, and maximum of 32 characters. If the site & database are designed properly any character - emojis included - can be part of a password. One bank in the UK (TSB) have the worst login imaginable. Not only do they have a password, with certain requirements (no special characters and must have uppercase, lowercase and numeric characters, more than 8 digits but less than 14) they have "memorable information" which is just another password with the exact same requirements as the first, so obviously everyone will use the same password with a different number on the end - but it also has a PIN number. And OTP. It's ridiculous. It also has a habit of forgetting the details, occasionally it won't accept the password that's remembered by Safari's password manager either, and if you don't log in for a month you have to reset your password. It's just stupid.

elijahg

ajl said:

Hoping they can make a two-steps verification system that cannot be used by scammers in the SIM-swap fraud.

An easy fix for that is to disallow number porting to a different SIM without physically changing the SIM card, and a requirement for both old and new phone company to be informed by the account owner of a transfer. Scammers would then need to convince two phone companies they were the account owner (so two sets of security questions) and register their address with the phone company and wait for the new SIM to arrive which would give police a much better chance of catching the perpetrator. Another fix would be for a text to arrive on the SIM that is losing its number informing the user that the number will be ported, and asking whether they want to do this. 

A small inconvenience but a big step up in security. The SIM-swap issue is pretty easily solved really, but phone companies don't really seem interested, even though they're often the last line of defence against fraudsters.

tundraboy

GeorgeBMac said:

tundraboy said:

I thought the point of two factor authentication is that even if a bad actor gets your login credentials, he won't be able to get into your account using his own computer if he doesn't have access to your phone.  I've never really seen the point of using TFA when the website or app being protected is accessed on the same device that receives the access code.

I get not compromising the effectiveness of such security procedure.  But:

In practice, the authentication code is not sent to the device originating the transaction but to a pre-defined device (or id or phone number) specified to receive the code.  While the devices may or may not be the same the difference is in what sourced where the code was to be sent.

But various ways have been created to subvert that:  One way is to have the victim's phone number transferred to the perpetrator's phone so the code is diverted from the victim to the perpetrator.    Some have claimed that that makes 2 factor authentication worthless.  But, that mostly just goes to prove that no security is 100% fool proof.

For myself, I have no trouble typing in a 6 or 8 digit code if means my financial accounts are secure.   In fact, I recently changed banks to one that uses 2 factor identification partly for that reason.  But, I have to admit that getting the code on my Apple Watch makes it a lot easier -- no looking for a device because it's right there on my wrist.

What I'm talking about is the case where you log into a bank website on the iPhone and the TFA access code is sent to the same iPhone, then you just tap an accept button to submit the code to the bank website.  If you had the iPhone memorize your bank account's login credentials, then there really is no additional security control point beyond the iPhone's password/Face ID.

king editor the grate

I think the biggest thing Apple could do to keep me safe would be to stop sending messages to every device on my account after every 2FA stating a new (insert expensive device here) was now accessing my account. I cringe each time, picturing my wife at work, wondering what in the name of Thundarr the Barbarian her husband bought *this* time, when in actuality I've only bought something nutty about one in 10 times 2FA is employed.

soli

elijahg said:

Soli said:

Bring it on! While they're at it, I wish that websites had a simple, robots.txt-like file that would detail the password parameters so that when using a password manager to create complex, random passwords, it could look at that file to know what characters and other rules are allowed (or disallowed) before generating a unique password.

Or better, enforce standards so that all websites allow all alphanumeric characters with a minimum of say 8, and maximum of 32 characters. If the site & database are designed properly any character - emojis included - can be part of a password. One bank in the UK (TSB) have the worst login imaginable. Not only do they have a password, with certain requirements (no special characters and must have uppercase, lowercase and numeric characters, more than 8 digits but less than 14) they have "memorable information" which is just another password with the exact same requirements as the first, so obviously everyone will use the same password with a different number on the end - but it also has a PIN number. And OTP. It's ridiculous. It also has a habit of forgetting the details, occasionally it won't accept the password that's remembered by Safari's password manager either, and if you don't log in for a month you have to reset your password. It's just stupid.

I'm very much against password credentials, just as I'm against the EU wanting all devices to use the same port interface. There are key reasons why some sites should have more or less security options for passwords. If they simply listed these as a way for any password manager to access when creating a random and complex password for that site or app this would work without sacrificing any security, not unlike how 1Password works for checking if you have 2FA enabled by cross referencing with the website if 2FA is an option.

And OTP. It's ridiculous. It also has a habit of forgetting the details, occasionally it won't accept the password that's remembered by Safari's password manager either, and if you don't log in for a month you have to reset your password. It's just stupid.

This I don't understand. I love how my password manager handles OTP.

I can't imagine an easier system. As for a password not working when you log in a month later I also log out and then log back in to make sure the saved password will work again. Sometimes, websites will truncate a long password you've created so something shorter when somewhere between the time you hit submit and it gets to the database to be saved. This will usually happen on websites that list a minimum length but not a maximum length so you could think that 16 characters is perfectly reasonable but their system only allows for 15 characters. They oddly don't look at this when you create the password, but will reject you when you submit as a login. if you know this going in and you're sure it's "correct" because you just created it you can retry your login by removing a character off the end until it works, and then save the truncated password.

I don't know if there is a potential bug with Safari's password manager as I don't use it. It's never been robust enough for my needs. My secret questions have characters letters for answers, I put all sorts of website and app specific info in each login file, and even my emails for accounts can vary and will often have aliases to make the potential for cross hacking as seen with accounts found on dark web websites. (e.g. For AppleInsider I might use soli+ random112358@mac.com as my login email but for World Bank I might use soli+random132134@mac.com so that even the username isn't able to knock on the door of my account).

edited January 2020

soli

king editor the grate said:

I think the biggest thing Apple could do to keep me safe would be to stop sending messages to every device on my account after every 2FA stating a new (insert expensive device here) was now accessing my account. I cringe each time, picturing my wife at work, wondering what in the name of Thundarr the Barbarian her husband bought *this* time, when in actuality I've only bought something nutty about one in 10 times 2FA is employed.

I'm confused your comment (although I do like the Thunder reference). Do you not have independent iCloud accounts? 

I don't think I fully understand your use case either. The only time I get a message from Apple on all my connected devices is when I sign on to iCloud; that's when it let's all my connected devices know that I've added a new device. When it comes to 2FA for logins it's usually an OTP from my password manager (which 1Password does so well that you just have to have hit paste as it saves it to the clipboard for 60 seconds) or an SMS or email if the system doesn't support saving the OTP link.

georgebmac

tundraboy said:

GeorgeBMac said:

tundraboy said:

I thought the point of two factor authentication is that even if a bad actor gets your login credentials, he won't be able to get into your account using his own computer if he doesn't have access to your phone.  I've never really seen the point of using TFA when the website or app being protected is accessed on the same device that receives the access code.

I get not compromising the effectiveness of such security procedure.  But:

In practice, the authentication code is not sent to the device originating the transaction but to a pre-defined device (or id or phone number) specified to receive the code.  While the devices may or may not be the same the difference is in what sourced where the code was to be sent.

But various ways have been created to subvert that:  One way is to have the victim's phone number transferred to the perpetrator's phone so the code is diverted from the victim to the perpetrator.    Some have claimed that that makes 2 factor authentication worthless.  But, that mostly just goes to prove that no security is 100% fool proof.

For myself, I have no trouble typing in a 6 or 8 digit code if means my financial accounts are secure.   In fact, I recently changed banks to one that uses 2 factor identification partly for that reason.  But, I have to admit that getting the code on my Apple Watch makes it a lot easier -- no looking for a device because it's right there on my wrist.

What I'm talking about is the case where you log into a bank website on the iPhone and the TFA access code is sent to the same iPhone, then you just tap an accept button to submit the code to the bank website.  If you had the iPhone memorize your bank account's login credentials, then there really is no additional security control point beyond the iPhone's password/Face ID.

That is true -- and an excellent point.  
It's an argument for having passcode on the phone with the 10 try limit, always keeping track of it and putting it into lost mode the moment you don't know where it it.