Apple Starts Blocking SMS Autofill for Two-Factor Authentication to Prevent Phishing Attacks

BY Chandraveer Mathur

Published 31 Jan 2022

Autofill for two-factor authentication (2FA) codes delivered via SMS is a convenient iPhone feature. However, Apple has started requesting companies to send 2FA codes in a more secure format in your better interest.

Phishing scammers rely on the credibility associated with Apple’s autofill system. When a victim clicks on a malicious link to a site that generates an SMS code, autofill on iPhone offers to paste it for you, making the attack seem credible for the unwary victim.

Apple’s proposed countermeasure requires companies to send the SMS codes in a secure format so the iPhone auto-fills the code only if the domains match. So, iPhone won’t offer the autofill option if the phishing scammers seek 2FA codes for one website, but the code is generated from another website. The new SMS format looks like this:

“Your Apple ID Code is: 123456. Don’t share it with anyone.
@apple.com #123456 %apple.com”

The message is structured so the first line contains the code and can be ready by a human. The following line contains the scoped domain preceded by an “@,” the code preceded by a “#,” and the iframe source preceded by a “%.” An iframe or inline frame is an HTML element used to embed another document within the current HTML document.

Apple’s new system has its demerits. If the iPhone doesn’t offer auto-fill for the malicious 2FA code, it may not be a big enough red flag for the phishing victim. They may proceed to just enter the code manually upon the attackers’ request. Additionally, the system relies on the companies willing to adopt Apple’s new standard for sending 2FA codes.

All things considered, it is still a step in the right direction. Now, if you receive a 2FA code and it is in Apple’s format described above, but your iPhone doesn’t offer to autofill it, it is probably fraudulent. What do you think of the new SMS system? Let us know your thoughts in the comments section below!

[Via Macworld]