If you’ve ever used online banking or any other highly-secure website, chances are you’ve encountered a one-time passcode (OTP) before. These are SMS messages sent to your phone with a unique code that verifies your identity with the website you’re on. For a lot of users, inputting this code into the website involves tapping back and forth between the browser and the SMS client — and in some cases even having to physically write down the code, because it’s so long or complicated. Now, Apple engineers have put forward a proposal designed to make the whole process easier and more secure.
The proposal has two main objectives. The first is to come up with a way for OTP messages to be associated with a URL: this can be done easily enough by including the login URL within the message itself. The second is to standardize the format of two-factor authentication (2FA) and OTP messages so that browsers and mobile apps can automatically read the incoming code and extract it to the appropriate website, without any user interaction necessary.
It’s hoped that by automating the process, users are less likely to fall victim to scams but inadvertently entering codes on phishing sites. If the auto-complete function fails it will mean there’s a mismatch between the website’s actual URL and the website they’re trying to access — if they’re not the same they’ll be instructed to stop the process.
The ability to pull OTP codes from SMS messages has already been added to iOS 13, but the proposal — which has also been backed by Google engineers — would make it a multi-platform standard for everyone. With these major tech giants behind the standard — and others likely to follow suit — the companies that offer OTP services will be expected to fall in line. According to ZDNet, one well-known provider, Twilio, has already expressed interest in the new format.