In two-factor authentication (2FA), it is relatively common, if we do not use the iCloud Keychain, that we receive the code by SMS. If this is the case, our iPhone or iPad is able to detect this code and offer to automatically complete it on the site or application in which we log in automatically, a feature that is now phishing-proof.

A new standard to avoid putting code where it is not

The automatic filling of double-factor codes is, without a doubt, very useful. Its use, however, can be exploited in phishing attacks. How? ‘Or’ What? A malicious site can, pretending to be another, ask for a user’s username and password. Later, you can pass this login to the real site so that the real site sends the code via SMS to the victim. Once the user enters the code, the malicious page uses it on the real website and gets full access.

This last step, that of entering the double-factor code on a phishing site, is precisely the one that will no longer be possible from now on. For a few weeks, Apple has been asking the various entities that use the sending of SMS with two-factor codes to include the domain to which the code belongs.

A measure to prevent good code from going to the wrong website.

Through this, the system compares that the stipulated URL matches the Safari URL, otherwise it refuses to autofill the double-factor code. Thus, if at any time we enter a website and the code received by SMS is not filled in automatically, we must beware.

Sure, it could be a mistake, like the service doesn’t offer that extra security measure yet, of course, but we should at least stop for a moment and check that everything is okay. If in doubt, it is best to stop the process, close the window and start over by visiting the site we want to access ourselves.

We may have already started to see, late last year, this new message structure for the two-factor code. It’s a structure similar to this, which is what Apple uses:

“Your Apple ID is: 123456. Do not share it with anyone.
@apple.com #123456 %apple.com”

The first line is for us humans, while the second, which lists the code and the domain it belongs to, is for automated systems. The last part, after the %, indicates additional domains in case there is an embedded iframe.

Thanks to this system, Safari can know when it should not offer code autofill. A signal that can alert us to an irregular situation and save us from error just at the last moment, since we remember that without the double factor code the account cannot be accessed. A security measure which, like many, can go unnoticed, but which is essential to ensure the security of our information.

Picture | Christina