Apple iPhone and Android smartphones both offer OTP auto-fill option while signing up or making an online payment. It appears that Apple is now working on a new method to make this system more secure, especially against phishing attacks that steal users’ crucial data via dubious links. According to Macworld, some users are seeing a new format of OTP texts that includes additional text, “@apple.com #123456 %apple.com”, where the numeric code (in this case 123456) after hash is the one-time password (OTP). If they do not receive the message in this format, the auto-fill feature won’t work, indicating users something is fishy. However, many users still are seeing the old format of OTP text message that reads, “Your Apple ID Code is 123456. Don’t share it with anyone.”
The publication explains that Apple had suggested this change back on August 4 – amid the global COVID 19 pandemic lockdown. In a blog post, Apple explains, “if you receive an SMS message that ends with @example.com #123456, AutoFill will offer to fill that code when they interact with example.com, any of its subdomains, or an app associated with example.com. If instead, you receive an SMS message that ends with @example.net #123456, AutoFill will not offer the code on example.com or in example.com’s associated app. This makes it harder for an attacker to trick someone into entering one-time codes into a phishing site.”
To put it simply, Apple wants companies to send OTP SMS in a new format. If the format matches Apple’s protocol, then the auto-fill OTP feature should work. In this case, say if the domain is Facebook.com and the OTP comes from Facebook.security.com, the auto-fill feature for OTP won’t function. Apple says developers do not need to provide extra info for this to work, and they can “add the autocomplete=one-time-code attribute to your web page’s text field.” The company adds, “This cues Safari to offer applicable codes in that field.”
It is not the most secure method to prevent phishing, but Apple is seemingly planning to work directly with developers. During our test, we continued to receive OTP on iPhone via SMS in the old format, that is, without the “apple.com #123456 %apple.com”.