Last year, a new "verification code autofill" setting appeared as part of a Play Services update that promised to plug the SMS-based 2FA gap for apps that use Android's snazzy SMS Retriever API for verification codes. In short, it would be another way to autofill SMS 2FA codes that might be able to work with any app, regardless of developer support. And based on user reports, the feature may be rolling out.

For a bit of context, Android already supports a method for filling in SMS-based 2FA keys, but the solution requires that developers bake it into their apps for it to work, and it also requires very specific formatting cues for the message that could be confusing to end-users. (Also note SMS-based 2FA is vulnerable to SIM-swap attacks, you should do everything you can to use a more secure 2FA method, and companies that only offer SMS-based 2FA should be shamed for how little they care about customers.) This new service works without that API or those messaging cues.

Of course, you can always copy your 2FA keys easily via the Messages notification, but that requires a lot more effort on your part.

Autofill code from Messages

Two of our readers (thanks Nick & Moshe) spotted it live on their devices.

We aren't sure precisely what enabled the feature, when it was enabled, or how widely it's rolling out. I can't test it myself as I've migrated every service I use away from SMS-based 2FA, and Artem can't trigger it on his phone either. However, it's live and working for at least some devices. Should it matter for those looking to enable the setting, those that have it appear to be running Play Services version 20.04.12 and Google Messages version 5.5.096 — the latest beta version, not available as of yet on APK Mirror. (This could just as easily be controlled by a server-side flag in limited rollout, though. You never know with Google.)

When it works, it appears as you see above in screenshots from a Pixel 4 and a Galaxy S10+, offering to "Autofill code from Messages."  When tapped, it shows the numerical code in place of the bold text, though our tipsters report that it isn't very "smart," simply grabbing the most recent code and assuming it's correct. Tap it again, and it inserts the code into the text field.

We should also note that it does not work for 2FA/OTP passwords in Chrome yet. For whatever reason, it also seems to work even if Messages isn't set as your SMS provider, though it continues to show Messages as the app it's pulling the code from — weird.

Not sure how to manually enable it (yet)

The newly functional toggle in Settings.

The toggle that controls this setting was discovered last year in an XDA Developers teardown and lives in Settings -> Google -> Verification code autofill, and we should note that the toggle can appear even if the feature doesn't actually work. For many, that toggle has been present since last September, but it didn't actually do anything until now. (At the time, I think most folks confused the recently-spotted toggle with the results of the existing SMS API.)

To enable the toggle, you also need to have an autofill service enabled (easily accessed via the link on the verification code autofill settings page). Any autofill service, including a third-party one, will allow the settings toggle to work, though both our tipsters were using Google's when the feature began working for them.

Once it's all enabled, it still might not work for you, as it didn't for us in our testing. But this "autofill code from Messages" pop-up is new, and presumably, it will be rolling out more widely soon.

Thanks: Nick, Moshe