Apple has altered the appearance of two-factor authentication SMS messages in an effort to improve security.
Apple’s shift effectively implies that whenever it sends you a new SMS as a form of two-factor verification, the message will only be available for autofill on Apple services and websites as a result of the insertion of a new piece of text. According to Macworld, the change was initially proposed more than a year ago, in August 2020. Also Fast and Furious 10: Release date, new cast rumours
The new communications will feature more text than normal, and they have already been distributed for a few weeks.
- Following a new line, a regular human-readable message, containing the code.
- @domain.tld is the scoped domain.
- The code was repeated as #123456.
- If the site employs an embedded HTML element known as an iframe, the source of the iframe is provided after percent, for example, percent ecommerce.example. (The actual specification calls for @, but Apple appears to be using percent for its text.)
This entire system functions similarly to how password managers and iCloud Keychain will only display a password on a certain website or in a connected app. This implies that bogus websites will be unable to utilise autofill to accept a two-factor authentication code since iOS, iPadOS, and macOS will detect that the domains do not match.
iOS, iPadOS, and macOS offer to fill in any correctly structured field, including a phishing site’s verification-code field, with the code most recently received through SMS to the Messages app. That makes it much too simple for fraudsters.
However, if the text message is scoped as recommended by Apple, operating systems beginning with iOS 15, iPadOS 15, and macOS 11 Big Sur will only enable autofill for sites that match the domain name. The security isn’t flawless, but it’s a simple upgrade that improves defensive measures.
You should still be aware of where you are clicking and what passwords you are typing, but this SMS update should assist.