Both Android and iOS have a couple of solutions baked in to let apps automatically verify your phone number through a single-use passcode sent over SMS. Earlier this year, Apple proposed to standardize the format of these messages to make the process even more seamless. After joining hands with Apple over their contact-tracing tool, Google is now backing Apple's proposal to make SMS OTPs (one-time passcodes) a tiny bit more secure and easier to use.

The specification draft co-edited by both Apple and Google has been published by the Web Platform Incubator Community Group. It suggests formatting the SMS in two lines, with each containing the same information — the code and the issuing site’s name — but formatted differently to make the code both human- and machine-readable. Here's an example:

747723 is your ExampleCo authentication code.

@example.com #747723

The most significant change here would be making the message more concise and including the URL for the website at hand. This will not only bring uniformity but will also prevent phishing attacks to a certain extent. If the app or browser finds a mismatch when auto-filling the code, it can prompt for a manual check. It's clearly not a perfect solution and leaves out quite a few SMS-based attack vectors, but it admittedly should allow for easier extraction of the 2FA codes if implemented.

Android already has an SMS verification framework that allows apps to retrieve one-time codes without the need for any additional permissions, along with an autofill feature based on Google Play services. This new proposal stresses standardizing that message structure and making the 2FA codes easier and faster to spot.

Source: WICG

Via: ZDNet