Skip to main content

Apple two-factor authentication feature now blocks SMS autofill for phishing attacks

Apple’s two-factor authentication autofill feature makes it painless to enter verification codes sent via SMS, but phishing attackers are getting savvy to this.

When they trick people into clicking on a fake link to a site that prompts for an SMS code, they do the same, so it looks legit when autofill offers to paste it in for you …

But Apple is now guarding against this by asking companies to send SMS codes in a new, more secure format.

With this format, your devices will only offer to autofill a verification code if the domains match. For example, if the site claims to be apple.com but the phishing link is to apple.securelogin.com, then you won’t be offered the autofill option.

The new format, which you may have started to see from late last year, looks like this:

Your Apple ID Code is: 123456. Don’t share it with anyone. @apple.com #123456 %apple.com

Macworld explains the change.

The format generally looks like this:

  • A standard human-readable message, including the code, followed by a new line.
  • The scoped domain as @domain.tld.
  • The code repeated again as #123456.
  • If the site uses an embedded HTML element, called an iframe, the source of the iframe is listed after %, such as %ecommerce.example. (The original spec specifies @; Apple appears to be using % for its texts.)

It’s not a perfect solution. It relies on the user to notice that their device isn’t offering autofill, and for that fact to raise a red flag. It also relies on companies that use SMS-based 2FA to adopt the new format. Finally, as we’ve noted before, SMS is not a secure form of two-factor authentication. Code generators are better, and one is now built into iOS 15.

But every little helps, so if you’re sent an SMS verification code and don’t get offered autofill, take a very close look at the domain name. Better yet, always use your own bookmarks or type URLs rather than clinking on links.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear