Updates iOS 14 adds domain-bound codes to make SMS one-time passcodes more secure


Level 32
Nov 10, 2017
Earlier this year, Apple’s WebKit team proposed a change to the format of SMS one-time passcodes to make two-factor authentication more secure. Apple confirmed today that developers can already implement these changes with iOS 14 and macOS Big Sur.

With iOS 12, Apple has allowed websites and apps that require two-factor authentication to auto-fill codes sent via SMS. And now, the company is making this process even easier and secure by implementing something they call “domain-bound code.”
Additionally, starting with iOS 14 and macOS Big Sur, we’re adding an extra layer of security to SMS-delivered codes by allowing you to associate codes with a specific web domain.
Apple explains that domain-bound code allows iOS and macOS to suggest auto-filling the two-step authentication code only if the domain is a match for the website or one of your app’s associated domains.

Let’s say you get a code associated with the “twitter.com” domain. With iOS 14 and macOS Big Sur, this code can only be accessed by the official Twitter app or website. According to Apple, this change makes it harder for hackers to trick users with malicious websites asking for two-factor authentication codes.

For example, if you receive an SMS message that ends with @example.com #123456, AutoFill will offer to fill that code when they interact with example.com, any of its subdomains, or an app associated with example.com. If instead you receive an SMS message that ends with @example.net #123456, AutoFill will not offer the code on example.com or in example.com’s associated app.