Apple's SMS one-time passcode proposal moves forward with help from Google

Posted:
in General Discussion edited April 2020
Apple's effort to develop a standardized format for one-time passcodes sent through SMS messages is moving forward with the help of Google engineers, as the proposal this month garnered official status as a Web Platform Incubator Community Group (WICG) specification draft.

Two-Step
Apple previously relied on two-step verification for Apple ID before moving to a two-factor protocol.


Announced in an updated GitHub explainer, an initial report of Apple's "Origin-bound one-time codes delivered via SMS" project was published by the WICG on April 2. The draft was co-edited by Theresa O'Connor from Apple and Sam Goto from Google.

First proposed by Apple WebKit engineers and backed by Google in January, the initiative seeks to simplify the OTP SMS mechanism commonly used by websites, businesses and other entities to confirm login credentials as part of two-step authentication systems.

While many websites and online services use OTP over SMS, a standardized method of formatting incoming messages text does not exist. As such, "programmatic extraction of codes from [SMS messages] has to rely on heuristics, which are often unreliable and error-prone. Additionally, without a mechanism for associating such codes with specific websites, users might be tricked into providing the code to malicious sites," the WICG publication notes.

Currently, users must manually input provided passcodes into a text field on a host website. Apple wants to push the status quo with a more refined solution that would also provide a higher degree of security.

Using a "lightweight text format," the proposed format embeds an actionable one-time code in an SMS message and links that code to an originating URL. The recipient system can then extract the code and log in to an associated website automatically.

An example OTP SMS:
747723 is your [website] authentication code.
@website.com #747723
ZDNet reported on the WICG development on Tuesday.

"This proposal attempts to reduce some of the risks associated with SMS delivery of one-time codes," the explainer reads. "It does not attempt to reduce or solve all of them. For instance, it doesn't solve the SMS delivery hijacking risk, but it does attempt to reduce the phishing risk."

Publication as a WICG specification draft does not necessarily mean Apple's protocol will see mass deployment, but it does show the project is moving forward.
«1

Comments

  • Reply 1 of 24
    seanismorrisseanismorris Posts: 1,624member
    I’ll use it when required, but I worry OTP over SMS gives a false sense of security.  SMS isn’t secure.

    Making 
    OTP over SMS more convenient doesn’t solve the underlying problem.  SMS needs to be replaced with a new standard, rather than putting lipstick on a pig.


  • Reply 2 of 24
    XedXed Posts: 971member
    How much better is this 2FA over nothing at all? Probably a little because it means the bad actors need to do more work to access your accounts, but SMS isn't secure. I'd much rather see Apple include an authenticator app option for iCloud and in their iCloud Keychain, and then push authenticator apps as the best option for everyone.
    watto_cobra
  • Reply 3 of 24
    fastasleepfastasleep Posts: 5,477member
    Here's something I don't understand. Why does Apple's 2FA send a login notice and code to the same device you're trying to log into something with (ie your iCloud or Apple Support account etc). Doesn't that defeat the purpose, even if it is a "trusted device"?
    croprjony0roundaboutnowStrangeDays
  • Reply 4 of 24
    XedXed Posts: 971member
    Here's something I don't understand. Why does Apple's 2FA send a login notice and code to the same device you're trying to log into something with (ie your iCloud or Apple Support account etc). Doesn't that defeat the purpose, even if it is a "trusted device"?
    The trusted device is to help "prove" that they are fairly certain that the owner of the device is logging in. This is because it's an internet-facing access point, which means that someone in Russia can't simply obtain your email and password from the dark web to access your account. That means they'd the to also have to go through the effort to spoof your SMS (i.e.: trick carrier into thinking they're the user) so they can pretend to your device when Apple sends a 2FA code to your phone number. Unless you're being targeted directly this is usually too much trouble.
    edited April 2020 gregoriusmlkruppwatto_cobra
  • Reply 5 of 24
    fastasleepfastasleep Posts: 5,477member
    Xed said:
    Here's something I don't understand. Why does Apple's 2FA send a login notice and code to the same device you're trying to log into something with (ie your iCloud or Apple Support account etc). Doesn't that defeat the purpose, even if it is a "trusted device"?
    The trusted device is to help "prove" that they are fairly certain that the owner of the device is logging in. This is because it's an internet-facing access point, which means that someone in Russia can't simply obtain your email and password from the dark web to access your account. That means they'd the to also have to go through the effort to spoof your SMS (i.e.: trick carrier into thinking they're the user) so they can pretend to your device when Apple sends a 2FA code to your phone number. Unless you're being targeted directly this is usually too much trouble.
    I meant the macOS dialog that pops up with the map that says "Someone is trying to log into your account, do you want to allow them" and then provides the 6 digit code to enter in Safari. So I literally drag the modal window from covering up the 6 digit fields and type in the number. I get that it prevents someone from logging in elsewhere, but let's say someone snatched my Mac while it wasn't locked and they were then able to get into iCloud.com or anything else that uses that 2FA system. The alternative would be, send that modal to every other device on your list so I'd have to get the code from my iPhone or iPad, etc.
    jony0StrangeDays
  • Reply 6 of 24
    Apple_BarApple_Bar Posts: 102member
    Here's something I don't understand. Why does Apple's 2FA send a login notice and code to the same device you're trying to log into something with (ie your iCloud or Apple Support account etc). Doesn't that defeat the purpose, even if it is a "trusted device"?
    Xed said:
    Here's something I don't understand. Why does Apple's 2FA send a login notice and code to the same device you're trying to log into something with (ie your iCloud or Apple Support account etc). Doesn't that defeat the purpose, even if it is a "trusted device"?
    The trusted device is to help "prove" that they are fairly certain that the owner of the device is logging in. This is because it's an internet-facing access point, which means that someone in Russia can't simply obtain your email and password from the dark web to access your account. That means they'd the to also have to go through the effort to spoof your SMS (i.e.: trick carrier into thinking they're the user) so they can pretend to your device when Apple sends a 2FA code to your phone number. Unless you're being targeted directly this is usually too much trouble.
    I meant the macOS dialog that pops up with the map that says "Someone is trying to log into your account, do you want to allow them" and then provides the 6 digit code to enter in Safari. So I literally drag the modal window from covering up the 6 digit fields and type in the number. I get that it prevents someone from logging in elsewhere, but let's say someone snatched my Mac while it wasn't locked and they were then able to get into iCloud.com or anything else that uses that 2FA system. The alternative would be, send that modal to every other device on your list so I'd have to get the code from my iPhone or iPad, etc.
    the only way that scenario would be possible is if you go to icloud.com enter Apple id and password and just when you are about to click login....they snatched your Mac. 

    Then there is no way around it of course they will be able to approved the login but thats like getting struck by lightning. 

    The snatching will give them access to an unlocked computer (documents etc) but it wont give them access to icloud.com unless you are one of those people all about privacy (/s) but they have a note with all sort of sensitive data including apple id and password. They wont even have access to keychain because they will need a watch,  the mac login Info or your finger.
    gregoriusm
  • Reply 7 of 24
    fastasleepfastasleep Posts: 5,477member
    Apple_Bar said:
    Here's something I don't understand. Why does Apple's 2FA send a login notice and code to the same device you're trying to log into something with (ie your iCloud or Apple Support account etc). Doesn't that defeat the purpose, even if it is a "trusted device"?
    Xed said:
    Here's something I don't understand. Why does Apple's 2FA send a login notice and code to the same device you're trying to log into something with (ie your iCloud or Apple Support account etc). Doesn't that defeat the purpose, even if it is a "trusted device"?
    The trusted device is to help "prove" that they are fairly certain that the owner of the device is logging in. This is because it's an internet-facing access point, which means that someone in Russia can't simply obtain your email and password from the dark web to access your account. That means they'd the to also have to go through the effort to spoof your SMS (i.e.: trick carrier into thinking they're the user) so they can pretend to your device when Apple sends a 2FA code to your phone number. Unless you're being targeted directly this is usually too much trouble.
    I meant the macOS dialog that pops up with the map that says "Someone is trying to log into your account, do you want to allow them" and then provides the 6 digit code to enter in Safari. So I literally drag the modal window from covering up the 6 digit fields and type in the number. I get that it prevents someone from logging in elsewhere, but let's say someone snatched my Mac while it wasn't locked and they were then able to get into iCloud.com or anything else that uses that 2FA system. The alternative would be, send that modal to every other device on your list so I'd have to get the code from my iPhone or iPad, etc.
    the only way that scenario would be possible is if you go to icloud.com enter Apple id and password and just when you are about to click login....they snatched your Mac. 

    Then there is no way around it of course they will be able to approved the login but thats like getting struck by lightning. 

    The snatching will give them access to an unlocked computer (documents etc) but it wont give them access to icloud.com unless you are one of those people all about privacy (/s) but they have a note with all sort of sensitive data including apple id and password. They wont even have access to keychain because they will need a watch,  the mac login Info or your finger.
    Okay, maybe I just find it odd that whenever I need to use this system, I am entering the number on the same device I'm receiving it on. I was thinking there might be a situation where that would be insecure, but maybe not.
  • Reply 8 of 24
    croprcropr Posts: 1,046member
    Here's something I don't understand. Why does Apple's 2FA send a login notice and code to the same device you're trying to log into something with (ie your iCloud or Apple Support account etc). Doesn't that defeat the purpose, even if it is a "trusted device"?
    You are absolutely right.  2FA using the same device does not improve the security that much.  

    The SMS should be sent to a different device.  In case your device is compromised by a hacker, sending an SMS to that same device does not make sense, because the hacker will receive the SMS as well.

    jony0
  • Reply 9 of 24
    cropr said:
    Here's something I don't understand. Why does Apple's 2FA send a login notice and code to the same device you're trying to log into something with (ie your iCloud or Apple Support account etc). Doesn't that defeat the purpose, even if it is a "trusted device"?
    You are absolutely right.  2FA using the same device does not improve the security that much.  

    The SMS should be sent to a different device.  In case your device is compromised by a hacker, sending an SMS to that same device does not make sense, because the hacker will receive the SMS as well.

    If my phone is protected by touch/Face ID and is the only device I have at the moment, how sending an sms to a different device would help? I could use my wife’s phone number and call her if she is available, but what would a single person do in that case?
    danh
  • Reply 10 of 24
    pslicepslice Posts: 120member
    I don’t trust Google. Any time Google gets involved I feel spied upon. 
  • Reply 11 of 24
    bbhbbh Posts: 105member
    Having the iMac display the SMS sent to your iPhones is a "convenience" you set up. I'm pretty sure you can disable that feature. It's the same thing, I guess, as the setup that allows you to have a telephone conversation over your iMac. I haven't researched just how, but I'm pretty sure you can disable the whole iPhone iMac synergy.
  • Reply 12 of 24
    flydogflydog Posts: 968member
    Here's something I don't understand. Why does Apple's 2FA send a login notice and code to the same device you're trying to log into something with (ie your iCloud or Apple Support account etc). Doesn't that defeat the purpose, even if it is a "trusted device"?
    That’s precisely what makes it secure. The trusted device is separate from the authentication server. 
  • Reply 13 of 24
    flydogflydog Posts: 968member
    I’ll use it when required, but I worry OTP over SMS gives a false sense of security.  SMS isn’t secure.

    Making OTP over SMS more convenient doesn’t solve the underlying problem.  SMS needs to be replaced with a new standard, rather than putting lipstick on a pig.


    How is it less secure than not using it at all?  
    chemengin1
  • Reply 14 of 24
    coolfactorcoolfactor Posts: 1,814member
    Here's something I don't understand. Why does Apple's 2FA send a login notice and code to the same device you're trying to log into something with (ie your iCloud or Apple Support account etc). Doesn't that defeat the purpose, even if it is a "trusted device"?

    It's only accessible if the phone is unlocked, and if it's unlocked, all bets are off anyway, aren't they?
  • Reply 15 of 24
    irelandireland Posts: 17,749member
    I’d just like if Apple moved to SMS authentication for iMessage and tied it to phone numbers and not devices and get rid of iCloud use for iMessage entirely. Why: to simplify and streamline iMessage. And yes, an Android app.
  • Reply 16 of 24
    gatorguygatorguy Posts: 23,001member
    pslice said:
    I don’t trust Google. 
    Apple trusts 'em, so that's good enough.... unless you don't trust Apple.
    Wait until you find out Google and Apple are working together on making smart devices in your home more secure and at the same time easier to use. Might be a good time to start getting over your phobia unless you plan to stop using your iPhone and all other smart devices in the relatively near future.

    Apple is working with Google on a whole lot of projects, from video streaming to cloud security, data sharing, and IoT security and software standards. It's that many of these things you just weren't aware of.
    edited April 2020 jony0
  • Reply 17 of 24
    lkrupplkrupp Posts: 9,291member
    I’ll use it when required, but I worry OTP over SMS gives a false sense of security.  SMS isn’t secure.

    Making OTP over SMS more convenient doesn’t solve the underlying problem.  SMS needs to be replaced with a new standard, rather than putting lipstick on a pig.


    So you know more about this than Apple and Google engineers. Wow, I’m impressed.
  • Reply 18 of 24
    crowleycrowley Posts: 8,224member
    lkrupp said:
    I’ll use it when required, but I worry OTP over SMS gives a false sense of security.  SMS isn’t secure.

    Making OTP over SMS more convenient doesn’t solve the underlying problem.  SMS needs to be replaced with a new standard, rather than putting lipstick on a pig.


    So you know more about this than Apple and Google engineers. Wow, I’m impressed.
    The story itself admits there are security issues with SMS.
    "It does not attempt to reduce or solve all of them. For instance, it doesn't solve the SMS delivery hijacking risk, but it does attempt to reduce the phishing risk."
  • Reply 19 of 24
    lkrupplkrupp Posts: 9,291member
    Here's something I don't understand. Why does Apple's 2FA send a login notice and code to the same device you're trying to log into something with (ie your iCloud or Apple Support account etc). Doesn't that defeat the purpose, even if it is a "trusted device”?
    So tell me, what about users who have only one Apple device, say an iPhone? Nothing else. There are lots of them apparently because they scream about this on the Apple Discussion Forums all the time. What is their ‘trusted device’?
  • Reply 20 of 24
    XedXed Posts: 971member
    Xed said:
    Here's something I don't understand. Why does Apple's 2FA send a login notice and code to the same device you're trying to log into something with (ie your iCloud or Apple Support account etc). Doesn't that defeat the purpose, even if it is a "trusted device"?
    The trusted device is to help "prove" that they are fairly certain that the owner of the device is logging in. This is because it's an internet-facing access point, which means that someone in Russia can't simply obtain your email and password from the dark web to access your account. That means they'd the to also have to go through the effort to spoof your SMS (i.e.: trick carrier into thinking they're the user) so they can pretend to your device when Apple sends a 2FA code to your phone number. Unless you're being targeted directly this is usually too much trouble.
    I meant the macOS dialog that pops up with the map that says "Someone is trying to log into your account, do you want to allow them" and then provides the 6 digit code to enter in Safari. So I literally drag the modal window from covering up the 6 digit fields and type in the number. I get that it prevents someone from logging in elsewhere, but let's say someone snatched my Mac while it wasn't locked and they were then able to get into iCloud.com or anything else that uses that 2FA system. The alternative would be, send that modal to every other device on your list so I'd have to get the code from my iPhone or iPad, etc.
    I see what you're getting at and I've brought this up at an Apple Store with a Genius when I've had to input the temporary code on the device that received it. They didn't really have a great answer for me, but I think it's probably a lot like getting a code to SMS (which often gives me a 2FA code to the device I'm using). Since Apple knows which devices are yours and you just inputted your password it's probably reasonably sure that you're getting that temporary code. It's not the most secure option, but it probably can't be spoofed as easily as SMS (if so, I've never heard of it), and is certainly better than having no direct access to one of your devices for entering the temporary code.
    StrangeDaysfastasleep
Sign In or Register to comment.