Apple Starts Blocking SMS Autofill for Two-Factor Authentication…

Topic

New Reply

Apple Starts Blocking SMS Autofill for Two-Factor Authentication to Prevent Phishing Attacks

Autofill for two-factor authentication (2FA) codes delivered via SMS is a convenient iPhone feature. However, Apple has started requesting companies to send 2FA codes in a more secure format in your better interest.

Phishing scammers rely on the credibility associated with Apple’s autofill system. When a victim clicks on a malicious link to a site that generates an SMS code, autofill on iPhone offers to paste it for you, making the attack seem credible for the unwary victim…

Apple’s proposed countermeasure requires companies to send the SMS codes in a secure format so the iPhone auto-fills the code only if the domains match. So, iPhone won’t offer the autofill option if the phishing scammers seek 2FA codes for one website, but the code is generated from another website. The new SMS format looks like this:

“Your Apple ID Code is: 123456. Don’t share it with anyone.
@apple.com #123456 %apple.com”..

Reply | Quote

Replies

I’ve had an iPhone XR for over three years now and an Apple watch for over two years and I have no idea what “autofill for two factor authentication” is as I deliberately do not use 2FA on my Windows 10 Dell XPS computer. I try not to need to access Apple websites as “logged in” on my computer and I rarely access the internet on my iPhone.

I don’t bank on my computer either. I use either a banking app on my FACE ID iPhone or I also still get the credit card, etc statements by snail mail and I use the bank’s app on my phone or I use my backup CORDED landline to pay bills, etc. That phone has an unlisted and unpublished number for over 40 years. It’s getting terribly expensive though to have the luxury of a landline with a private number and that is sad.

I use the Microsoft Authenticator on my iPhone if needed and it does not require 2FA. I suppose it is why I don’t know what “SMS Autofill for 2FA” is but I try to avoid all that and do old fashioned banking instead. My bank was the first in the nation, back in 1999, to offer banking over the internet. I had just gotten my first computer and was intrigued and did do banking online through my bank but as the internet grew and became such a nasty place, I stopped doing that.

Reply | Quote

So after we have generated unbreakable 10 place alphanumeric-special character  passwords for 20 or thirty logins, now we are encouraged to provide a second layer of security….

Question: do we really need that 10 place “unbreakable” letter-word-spec character initial password? couldn’t it now be shorter and perhaps a bit less convoluted considering even if someone was able to hack it, they are unlikely to have the second layer as well?

Just abstract thoughts after a long time home bound with nothing else to do….;-)

Reply | Quote

At NASA we had to replace an elaborate password, making up another one every two months to be able to use our computers and access the LAN of our Center. This year that changed and people have been encouraged more and more insistently to “go password-less!!!”

Fine with me:  I did that and have not renewed my password since then, five months ago. Now I have to use my PIN with my badge in a card reader more often. PIN + badge was also needed, if to a lesser extent, for several years already when we also needed a password to do logins on top of it. But this is actually much less of a hassle now than was changing passwords every two months, because people, myself included, would be worrying about the next deadline, then forget to do it until the deadline was past, then would have to go and phone the Help Center to get someone to unlock the account and make it so one could change passwords so everything would then be OK for another two months. The no-password option, as just described, was possible all along, but things can take a remarkably long time to become more sensible in a bureaucracy.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

DriftyDonN wrote:

do we really need that 10 place “unbreakable” letter-word-spec character initial password?

2FA has nothing to do with the strength/weakness of your passwords.
2FA just confirm you are who you claim to be by sending a numeric code to your smartphone (either by SMS message or pop-up notification like Apple does).

Reply | Quote