
An increasing number of Apple users are now reporting a change in the SMS they receive for two-factor verification. What used to be a simple SMS containing texts and the 2FA code now also has a strange string of alphabets and letters inside it. It now seems like the change is an effort by Apple to make its 2FA authentication stronger.
The update can be seen in attempts to log in to one's Apple ID using an SMS-based second-factor verification code. Apple users who did so recently were able to spot a strange mix of words, numbers as well as characters within the message that arrives with this code. Something like "@apple.com #[code] %apple.com."
A report by MacWorld explains that the update is an attempt by Apple to thwart any phishing attacks that try to steal users' data through dubious links. Such attacks often target 2FA authentication login attempts by redirecting the victim to a phishing link. Any credentials thus entered by the victim then straightaway got to the threat actor and are further relayed for login at the actual website or service.
Apple's new form of 2FA code messages will prevent this from happening. How? The basic working is very simple - the altered SMS by Apple will prevent the code from being auto-detected by any service outside of Apple's domain. The feature comes in extension to Apple's proposed changes back in August 2020, as pointed out by MacWorld. At the time, Apple had promised that the feature would bring support for "domain-bound codes" for logins on Apple devices.
This means that the text messages with the login code will be required to make a slight addition. It will now need to provide a destination domain and some other data to the device instead of just the verification code. This way, Apple will be able to judge if the verification code is indeed supplied to a trusted domain or a one that lies outside of Apple's trusted set of domains.
It is a simple update that will understandably prove to be effective against phishing attacks for 2FA codes. Of course, it will limit the tendency of iOS 15, iPadOS 15, and macOS 11 Big Sur to auto-fill passwords onto a service. Though if this happens, the domain should raise a red flag for the users to double-check where they are going to submit their verification code.
Copyright©2022 Living Media India Limited. For reprint rights: Syndications Today