Home Daily Brief Apple Bolsters iOS 14 With Powerful Move To Make SMS Passcodes More Secure

Apple Bolsters iOS 14 With Powerful Move To Make SMS Passcodes More Secure

Apple Bolsters iOS 14 With Powerful Move To Make SMS Passcodes More Secure

Apple has just made a powerful new move in iOS 14 to make SMS passcodes more secure. Here’s what you need to know.

Perhaps I am blinded by the shininess of my iPhone, but to me, Apple remains the brand of choice for those who care about their security and privacy. The real shift started back in iOS 13, which added a bunch of cool features, and this is being ramped up even further in iOS 14—the major Apple operating system update arriving this Fall.

Get started on your cybersecurity degree at American Military University.

Now, Apple has confirmed in a developer blog how it will make SMS one time codes—used for two-factor authentication—more secure using something called domain bound codes.

The move had already been proposed earlier in the year by Apple’s WebKit team, Apple focused site 9to5Mac reports, but now developers can implement the changes in both iOS 14 and MacOS Big Sur.

So, how does this work?

How domain bound codes work 

SMS passcodes are used by many sites and apps for two-factor authentication. On your iPhone, Security Code AutoFill makes it easy for people to quickly supply these codes by offering them in the QuickType bar.

Apple has now confirmed that starting with iOS 14 and macOS Big Sur, it will add an extra layer of security to SMS-delivered codes by allowing you to associate codes with a specific web domain.

Apple explains in a developer blog that a domain-bound code means AutoFill will suggest the code “if—and only if—the domain is a match for the website or one of [the] app’s associated domains.”

For example, Apple says, if you receive an SMS message that ends with @example.com #123456, AutoFill “will offer to fill that code when they interact with example.com, any of its subdomains, or an app associated with example.com.”

“If instead you receive an SMS message that ends with @example.net #123456, AutoFill will not offer the code on example.com or in example.com’s associated app.”

The aim of this, of course, is to improve security. The change makes it harder for an attacker to trick someone into entering one-time codes into a phishing site, Apple says.

SMS codes are not the ideal form of 2FA

It’s a good move by Apple to make these one-time passcodes as secure as possible on your iPhone. However, SMS two factor authentication codes are not the best way to secure your accounts, as Jake Moore, cybersecurity specialist at ESET explains. This is because SIM swapping can help attackers to bypass this form of security and gain access to your accounts, taking full control of your phone.

In an ideal world, you should use security keys such as the Yubico YubiKey on your iPhone—which I am a really big fan of. You can also use authenticator apps such as Authy.

“This new initiative will no doubt make accounts safer but users must be reminded that SIM swap attacks will bypass it,” Moore warns. “Losing physical access to your phone will also bypass this so it is vital to keep your phones secure and move to authenticator apps where possible for all accounts.”

I agree. Domain bound codes are a good move by Apple, but SMS passcodes are still not the ideal form of 2FA. So why not start with a free authenticator app, then look at purchasing a security key if you feel ready?


This article was written by Kate O’Flaherty from Forbes and was legally licensed through the Industry Dive publisher network. Please direct all licensing questions to legal@industrydive.com.