Phishing-Resistant One-Time Codes Autofill Delivered Via SMS
August 27, 2020
GitHub recently announced it was adopting a draft standard for the format of SMS one-time passwords (e.g. two-factor authentication codes) to help thwart phishing attacks.
Before we get to the details it’s important to note that using SMS for one-time passwords is less secure than using a dedicated app such as Authy as the approach is susceptible to SIM-swap attacks. They’re also less convenient – sometimes the messages take a while to arrive and won’t be received at all if the user is out of mobile phone range or has swapped their SIM card while traveling overseas.
That said, one-time passwords via SMS matter – they’re the most common way to deliver 2FA codes because they work with the technology that users already have. Downloading a dedicated app just to manage 2FA codes is beyond many users.
How it Works
The idea behind the standard is a predefined SMS (text message) format that looks like this:
The last line must match the format above, starting with
@ and in the format
Devices can then interpret this as an unambiguous one-time password. On your web app, you specify:
The browser can match the origin of the site
(example.com) against the message received, and then autofill this value for the user.
Some mobile browsers already do this (Safari, for instance) but do so via guesswork and without any guarantee that the one-time password (OTP) you just received belongs to the right site. Without the
origin, a phishing site could simply implement the
autocomplete="one-time-code" on a bogus site to collect the OTP.
Status of the Standard
This is a draft standard published by Apple and Google earlier this year. Support seems to be growing. GitHub adopted it earlier this month. Draft standards can and do change, so make sure to do an up-to-date assessment before you attempt to implement it. (And, if you haven’t already, consider using an identity provider to handle this concern for you. Designing and building secure authentication is hard to do well and often not what differentiates your app.)