A proposal from Apple engineers aimed at making SMS security more effective is making its way through the web development community.
The idea, which was backed by Google in January, is essentially to link an SMS-based One Time Passcode directly to the website or other online entity sending it for user authentication. This means that an end user would receive the code via SMS, and then click the message to be taken to the issuing site so that the code can be entered.
The aim is to mitigate phishing attacks in which users are prompted to enter SMS passcodes into fraudulent websites, allowing cybercriminals to then use those legitimate OTPs themselves and thereby gain access to victims’ accounts.
The “Origin-bound one-time codes delivered via SMS” concept was detailed in a GitHub post co-authored by Apple’s Theresa O’Connor and Google’s Sam Goto earlier this month, and has now officially been made a Web Platform Incubator Community Group specification draft. Launched in 2015, the WICG describes itself as “a lightweight venue for proposing and discussing new web platform features,” suggesting that the enhanced OTP concept is gaining traction.