Apple’s WebKit web browser engine team has proposed a new standard for SMS-based two-factor authentication (2FA) that would allow the process to be automated, requiring no extra user interaction when logging into a web site on a mobile device.
Currently, SMS-based 2FA requires that users receive and view a text message containing a one-time passcode (OTP) that is typically a six-digit number, then enter that number on a special login page. In some cases, the process can be automated, but it is not standardized. Mobile OSes have attempted to semi-automate the process by offering one-tap copy-and-paste options for OTPs.
Apple’s proposed standard would include a special login URL in the text message body. This would allow mobile browsers and/or OSes to complete the login automatically, as well as provide protection against phishing attempts. Google’s web browser engine team is also on board with the proposal.