Apple Bolsters iOS 14 With Powerful Move To Make SMS Passcodes More Secure
Apple has just made a powerful new move in iOS 14 to make SMS passcodes more secure. Here’s what you need to know.
Perhaps I am blinded by the shininess of my iPhone, but to me, Apple remains the brand of choice for those who care about their security and privacy. The real shift started back in iOS 13, which added a bunch of cool features, and this is being ramped up even further in iOS 14—the major Apple operating system update arriving this Fall.
Get started on your cybersecurity degree at American Military University.
Now, Apple has confirmed in a developer blog how it will make SMS one time codes—used for two-factor authentication—more secure using something called domain bound codes.
So, how does this work?
How domain bound codes work
SMS passcodes are used by many sites and apps for two-factor authentication. On your iPhone, Security Code AutoFill makes it easy for people to quickly supply these codes by offering them in the QuickType bar.
Apple has now confirmed that starting with iOS 14 and macOS Big Sur, it will add an extra layer of security to SMS-delivered codes by allowing you to associate codes with a specific web domain.
Apple explains in a developer blog that a domain-bound code means AutoFill will suggest the code “if—and only if—the domain is a match for the website or one of [the] app’s associated domains.”
For example, Apple says, if you receive an SMS message that ends with @example.com #123456, AutoFill “will offer to fill that code when they interact with example.com, any of its subdomains, or an app associated with example.com.”
“If instead you receive an SMS message that ends with @example.net #123456, AutoFill will not offer the code on example.com or in example.com’s associated app.”
The aim of this, of course, is to improve security. The change makes it harder for an attacker to trick someone into entering one-time codes into a phishing site, Apple says.
SMS codes are not the ideal form of 2FA
It’s a good move by Apple to make these one-time passcodes as secure as possible on your iPhone. However, SMS two factor authentication codes are not the best way to secure your accounts, as Jake Moore, cybersecurity specialist at ESET explains. This is because SIM swapping can help attackers to bypass this form of security and gain access to your accounts, taking full control of your phone.
“This new initiative will no doubt make accounts safer but users must be reminded that SIM swap attacks will bypass it,” Moore warns. “Losing physical access to your phone will also bypass this so it is vital to keep your phones secure and move to authenticator apps where possible for all accounts.”
I agree. Domain bound codes are a good move by Apple, but SMS passcodes are still not the ideal form of 2FA. So why not start with a free authenticator app, then look at purchasing a security key if you feel ready?