Apple WebKit developers want to standardize the display of 2fa text messages to better automate the use of the messages. Now every 2fa system uses different messages, which according to the developers is not optimal and can even be dangerous.
Because there is now no standard for 2fa text messages, websites that want to automatically use such messages must rely on heuristics, according to the Apple WebKit developers. This means that such systems look for the fastest solution, even if it is not necessarily the best solution. According to the developers, heuristics can lead to errors and can even be dangerous, although the developers do not explain what they mean by this.
The developers do say in their proposal that the 2fa messages often do not mention which website they come from. As a result, users could unknowingly insert 2fa messages into rogue websites. If users see that the link in their browser does not match the source website in the text message, this could be prevented.
The Apple WebKit developers therefore propose to standardize the 2fa text messages. Systems that then use the messages can find them better. The developers propose a text message, where the first line is written in human-comprehensible text and the second line is written for the computer systems.
In the example of a 2fa message for the foobar.com website, the text message would look like: ‘747723 is your FooBar authentication code. @foobar.com #747723’. In this example, the first line is for humans and optional. In the second line, the site after the @ sign indicates the source website, in this case foobar.com. The code after the # sign indicates the one-time code intended for 2fa.
The purpose of this standardized 2fa message is twofold. On the one hand, the developers want to prevent users from having to enter the one-time code into their browser themselves. On the other hand, websites must be able to rely on the fact that the codes are only entered on the website from which they came.
The developers say they have placed an “earlier version” of the standardized 2fa messages in iOS 12 and Safari 12. Google developers are said to be behind the plan. What Firefox thinks of the proposal is unknown.