Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Apple IT Technology

Apple Wants To Standardize the Format of SMS OTPs (One-Time Passcodes) (zdnet.com) 125

Apple engineers have put forward a proposal today to standardize the format of the SMS messages containing one-time passcodes (OTP) that users receive during the two-factor authentication (2FA) login process. From a report: The proposal comes from Apple engineers working on WebKit, the core component of the Safari web browser. The proposal has two goals. The first is to introduce a way that OTP SMS messages can be associated with an URL. This is done by adding the login URL inside the SMS itself. The second goal is to standardize the format of 2FA/OTP SMS messages, so browsers and other mobile apps can easily detect the incoming SMS, recognize web domain inside the message, and then automatically extract the OTP code and complete the login operation without further user interaction. By doing this, the process of receiving and entering a one-time passcode could be automated, eliminating the risk of a user falling for a scam and entering an OTP code on a phishing site, with the wrong URL.
This discussion has been archived. No new comments can be posted.

Apple Wants To Standardize the Format of SMS OTPs (One-Time Passcodes)

Comments Filter:
  • by FictionPimp ( 712802 ) on Thursday January 30, 2020 @12:35PM (#59671322) Homepage

    Subject says it all. SMS is not secure enough for this purpose.

    • by Anonymous Coward

      Subject says it all. SMS is not secure enough for this purpose.

      Common sense says people aren't going to shell out for dedicated hardware, and if your damn phone is compromised, then the "secure" MFA app running on it is too.

      People are cheap and lazy, and this is better than nothing. And let's stop pretending that SIM swaps are fucking commonplace already.

      • "let's stop pretending that SIM swaps are fucking commonplace already"

        Yeah totally. Let's bury our heads in the sand and hum "nah nah nah". That's what real security looks like!

      • by dgatwood ( 11270 ) on Thursday January 30, 2020 @01:53PM (#59671676) Homepage Journal

        Common sense says people aren't going to shell out for dedicated hardware, and if your damn phone is compromised, then the "secure" MFA app running on it is too.

        The problems with SMS have nothing to do with the security of the phone, and everything to do with the complete lack of security between the sender's server and your phone. As I understand it, here's what happens (approximately — I'm probably missing a bunch of interesting details here) when one of those OTPs is sent out:

        • The server sends a message to an SMS gateway.
        • The SMS gateway uses either a database or a manual selection from the user to decide which carrier should get the SMS.
        • The SMS gateway delivers the message to the carrier, often via email.
        • The carrier looks in a database to determine which SIM card should get the message.
        • The carrier determines (probably through a database lookup) which cell tower last saw a phone with that SIM card number.
        • The carrier sends that message to the tower, which delivers it to the phone as an out-of-band, unencrypted chunk of data attached to the next packet that it sends out.

        So let's go over how each of those steps can be compromised:

        • Transmission from the server to the gateway: Depending on how this is done, this might be a snooping opportunity. This would likely be a targeted attack against a specific website, so this is relatively uninteresting, because detection would be likely, and a mass rollback necessary, at the website's expense.
        • Gateway lookup: Someone can monkey with the database and trick a website into sending the message to the wrong carrier (or a server that isn't a carrier). Again, it's a targeted attack against a single website, so largely uninteresting.
        • Gateway transmission: Someone can sniff the email from the website to the carrier. Again, it's a targeted attack against a single website, so largely uninteresting.
        • Carrier SIM lookup: Someone can convince the carrier to switch your account over to a different phone, resulting in the OTP getting sent to the attacker instead. This is unlikely to be detected until it is too late, and because it targets a single user, the burden of proof is on you, making this the most serious concern, security-wise.
        • Carrier tower lookup: Someone can clone your SIM card and use it to get the OTP on another device. This affects a single user, and although the user may know that his/her account is being attacked, the user may or may not realize it in time, making this a pretty serious concern.
        • Carrier delivery: Someone can stay within range of the same tower as the victim, then capture the packets from the tower with a software-defined radio, and steal the OTP. This has the same risk as SIM cloning.

        So as you can see, when we say that SMS is insecure, we don't mean that it is insecure if someone cracks your device. We mean that it is so insecure that they might as well post the OTP on one of those giant electronic signs in the middle of Times Square.

        • So what if itâ(TM)s insecure, any one stuffing or stealing the otp code canâ(TM)t do a damn thing because they wonâ(TM)t have the token from the web session the code is for that is passed cos https The only difference between it being in time square and or at one cell tower is that someone else who has got your password isnâ(TM)t very less likely to be.
          • by dgatwood ( 11270 )

            So what if itâ(TM)s insecure, any one stuffing or stealing the otp code canâ(TM)t do a damn thing because they wonâ(TM)t have the token from the web session the code is for that is passed cos https The only difference between it being in time square and or at one cell tower is that someone else who has got your password isnâ(TM)t very less likely to be.

            If I understand your question correctly, you're misunderstanding how the SMS attack ties in to the attack as a whole. The part I left ou

        • by _merlin ( 160982 )

          The delivery to the handset is encrypted from 3G onwards. It was an unencrypted control channel frame in GSM, but we've moved on from that. SIM cloning attacks should be more difficult than they used to be as well. I agree that SMS is not secure by design, but it's not quite as easy to casually steal SMS as it used to be.

      • by grimr ( 88927 )

        Common enough up here.

        https://www.cbc.ca/news/canada... [www.cbc.ca]

        https://www.cbc.ca/news/canada... [www.cbc.ca]

    • by dgatwood ( 11270 ) on Thursday January 30, 2020 @01:10PM (#59671484) Homepage Journal

      The problem is not so much that SMS is insecure, so much as that authentication is so fundamentally broken that people need a secure channel in the first place. This is like sending the key to the storm door outside someone's main front door by mail and being concerned that someone might break into the house by stealing the mail because the main front door is usually left unlocked.

      Right now, we have this bizarre world where people use passwords instead of private keys for authentication. As a result of having to remember passwords and, on many websites, being repeatedly asked to enter them, people use weak passwords that are also typically easily guessable.

      We should be using 4096-bit (or larger) private keys instead of passwords, and using some more complex proof of identity than passwords (possibly requiring access to an existing device in addition to that proof, and/or an in-person visit to a notary) when adding a new device to an account.

      The entire notion of having to sign in using an inherently weak scheme like passwords is flawed, and adding a second factor as weak as SMS doesn't improve the situation in any meaningful way, but even adding a strong second factor (such as an external crypto device) with a weak first factor like passwords won't give you a security story that's as good as a strong second factor with a strong first factor.

      • For the vast majority of use cases, SMS stops snooping people from trying to access your account. SIM swapping will soon be left out in the dust as eSIM takes hold. I do think however that actual authentication apps like Google's Authenticator are better choices, as it doesn't require the carrier to be involved in your protection.
        • So basically, you get access to a person's phone, and you get access to everything. Riiiiiiight. Super secure!!

        • by tlhIngan ( 30335 )

          SIM swapping will soon be left out in the dust as eSIM takes hold.

          eSIM does not affect SIM swapping at all. SIM swapping is just reprovioning a SIM card with your account information. Basically transferring service from one SIM card to another. All eSIM does is make it so you don't have to physically move a chip between phones (which can require a new SIM card because they accept different sizes).

        • by mysidia ( 191772 )

          SIM swapping will soon be left out in the dust as eSIM takes hold.

          eSIM does nothing about SIM Swapping. SIM Swapping is not: moving a SIM card to a new phone - its contacting the phone company pretending to be the customer and moving the phone number to a new SIM card to replace the old one

          The phone companies are still going to have a procedure where people can replace their Cell phone and keep their number on their new phone; as long as that exists, and as long as number porting still exists on

      • by gweihir ( 88907 )

        Well, using a password manager fixes this to some degree, but most people are not really able to do this either. Passwords are not the problem though. The problem is that this whole "Internet" thing is pretty new and things need to stabilize for a few decades yet before they can be considered mature technology. In the end, everybody will carry some kind of dedicated authenticator that has interactive capabilities (tells you what you are authenticating to), because that is the only thing that works. No, it w

        • No, it will not be the mobile phone, although it may be in there as a separate device that only shares power and maybe some very small attack surface interface with the main one. But it will have its own display and own y/n button and also some dedicated unlock mechanism and it will be _hard_ to attack with physical contact and almost impossible remotely.

          I don't see why they can't be the device itself or multiple devices. Provided that the key is stored in some sort of secure enclave, and the device can be "de-trusted" easily from another authenticated session/device. Everyone thought cameras would remain separate devices, but it's simply not convenient.

      • We should be using 4096-bit (or larger) private keys instead of passwords, and using some more complex proof of identity than passwords (possibly requiring access to an existing device in addition to that proof, and/or an in-person visit to a notary) when adding a new device to an account.

        Devices can be lost or stolen. Biometrics can be faked (or worse), so locking said device with biometrics is a bad idea. That leaves locking the device with a password, but that leaves just one password to crack. 2 factor authentication - device plus site password - is more secure. Kind of like accessing a safe deposit box; you need 2 keys: Your key and the bank's (or other service provider's) key.

        Real world example: A cousin of mine used a password vault app on his phone to store all his passwords. One day

        • And that password vault had no password system in place or did your cousin use 12345, you know, the one on your luggage?

      • I donâ(TM)t understand why we all donâ(TM)t just use client certificates. Login to browser once to unlock client cert. Client cert used to authenticate on any https to any server. No need to login to anything in the internet ever again.
        • Too many use cases that don't work with it. For one, temporarily using a computer that's not yours. It's much easier to run a private browsing window (or even a livecd/usb) and provide an OTP to get in once.

        • >"I donÃ(TM)t understand why we all donÃ(TM)t just use client certificates. Login to browser once to unlock client cert. Client cert used to authenticate on any https to any server. No need to login to anything in the internet ever again."

          A certificate or private key is not authentication of the PERSON. It isn't in that person's mind. So anyone with access to that physical device can now do whatever they want. Passwords have a very valid place in security, when used correctly. Now, password

          • They are complex and difficult to use in practice, which is why nobody does. They could be encrypted by a password, but still need to be carried around and installed on computers.

            The underlying problem is that every web site insists on you sending your password in clear text to them. Sure it is over TLS, but there is no way for a user to verify the URL. Not even slashdot users can tell that sIashdot.org is a forgery (siashdot).

            A better solution is an old one, Digest based authentication. So you never ac

            • >"Secure Remote Password (SRP) is an old algorithm that addresses these issues. [wikipedia.org]"

              +1 informative

              That is very interesting, and a good idea. Of course, if the browser is filling the password in automatically, because it conveniently "remembers" it (and sends a hash), it still short-circuits the important "what you know" concept of security. But it solves the problem of server hacks and MITM.

              Brute force is easy to mitigate, just throw in failure delays and long number-of-attempt (from any so

              • Brute force is actually not easy to mitigate in this sense.

                If you yous a normal Digest then a Phisher will send the nonce and get the digest that corresponds. The phisher can now do an OFF LINE attack until a match is found. Might even use a rainbow table if there is no client nonce.

                SRP and PAKE generally involves much cleverness to avoid this.

      • Your solution isn't. All computer security should require two things. Something you know and something you have. Getting both is very difficult. Getting one is much much easier. OTP operates as something you have, Sure the SSH key is also something you have and probably a better protection, but throwing away the something you know only makes it less secure overall.

        • by dgatwood ( 11270 )

          Typically, the passcode on the device is the "something you know". Having a second "something you know" might make it more secure for accessing it on that device, but it tends to make your account less secure for accessing it from other devices, because you have to know it, so it's kind of a tradeoff.

          But treating each device a permanently signed in has other advantages that, IMO, mostly outweigh those concerns — specifically the ability to see when a new device signs on, kick an unauthorized or stol

          • Having two "something you knows" does not increase security. Usually, if you can compromise one factor you can immediately also compromise all factors from the same category. "Something you know" is either stored in a password safe, meaning that if you compromise one you also compromised the other, you create two near identical systems because that's how people simply are, or the system is coded in a way that if you compromise one you also compromise the other. There are very few scenarios where you actuall

            • by dgatwood ( 11270 )

              Having two "something you knows" does not increase security. Usually, if you can compromise one factor you can immediately also compromise all factors from the same category.

              You're correct to within the margin of error, but it isn't strictly true.

              For example, two "things you have" can make a system more secure if they are not typically possessed simultaneously. Someone stealing one device is unlikely to steal all of your devices, and if, in the time that it takes for them to crack your device, you can use

      • >"The entire notion of having to sign in using an inherently weak scheme like passwords is flawed, and adding a second factor as weak as SMS doesn't improve the situation in any meaningful way,"

        That is absolutely untrue. First, using a "private key" is only something you have, not something you know. Anything that depends only on a "key" can be stolen or lost (physical or not, it isn't something in your brain). Second, even if SMS, itself, is weak, using it as a second factor does improve security IM

    • Subject says it all. SMS is not secure enough for this purpose.

      Ok, so "nothing" is a better idea?

      You've got the floor: Suggest a better (and practical) alternative. We'll wait.

      • TOTP. Apple can even come up with its own app with an API that lets the authenticator auto-fill the codes when requested by the app. Bonus points if the key to the TOTP is stored in the secure enclave.

    • by jasnw ( 1913892 )

      To rephrase what an earlier poster (modded to 0 for whatever reason) said, SMS is used because secure alternatives are viewed as unworkable by both ends of the transaction chain. I would much prefer to use a private key, either software or hardware (Yubikey-like) for verification, but most institutions don't make that option available for mere raggedy-assed-masses customers. They don't make it available because most of their users won't want to (or can't) use it. Whether secure enough of not, SMS is easy

    • I would love for that to happen. Unfortunately, many of the sites I use seem to use SMS for OTP if I enter my phone number for any reason on their site, including for unrelated reasons like notifications (which are often convenient and sometimes important for financial things).
    • by fermion ( 181285 )
      But the mobile is secure. And it is difficult for an attacker to associate a random text message to the account it validates. For countries where most people only have a mobile, the SMS is the best and easiest way. Also, for security the verification is done through a secure app associated only with the mobile number, and is still can be automatically detected by the mobile OS
      • by jabuzz ( 182671 )

        Until I ring up the mobile firm and persuade them to port your number to a different SIM. That's the problem with SMS for OTP, and it's a real problem. The other year when the TSB bank in the UK was having IT problems a number of customers where hit with SIM swapping fraud that drained their bank accounts because the TSB was using SMS for OTP.

    • by guruevi ( 827432 )

      You can communicate secret data over insecure channels. That's what the Internet is built on and apparently what Apple wants to do. If you send a cryptographic message over SMS where both sender and receiver can agree on session state, it's a secure method of exchanging data through another pathway than the actual session.

      I'd love to have a 2FA that works with my finger print and some systems already have that, but the infrastructure isn't standardized and it requires a typically closed-source app. SMS is o

      • You can communicate secret data over insecure channels. That's what the Internet is built on and apparently what Apple wants to do. If you send a cryptographic message over SMS where both sender and receiver can agree on session state, it's a secure method of exchanging data through another pathway than the actual session.

        By establishing a secure channel over SMS, you've just done the same work that would've been needed to set up a real 2FA app like Authy [authy.com]. Except in Authy's case, the crytographic synchron

  • by gweihir ( 88907 ) on Thursday January 30, 2020 @12:40PM (#59671344)

    There are attacks on this in the wild. SS7 basically has only its incredible complexity as security and it is _old_.
    Stop using SMS for OTPs unless you have really low security requirements.

  • by IsThisNickTaken ( 555227 ) <Fred____Smith@@@hotmail...com> on Thursday January 30, 2020 @12:43PM (#59671358) Homepage
    Due to the possibility of SIM swaps, how about "don't do that". See https://www.wired.com/story/si... [wired.com], https://www.consumer.ftc.gov/b... [ftc.gov], and https://krebsonsecurity.com/ta... [krebsonsecurity.com]
    • Depends on who you are. I'm just an average schmoe so SMS 2FA is fine for me. Nobody's going to randomly pick me out and go through the hassle of hacking my SIM card.

      If I'm Justin Kardashian or some Youtube griefer edgelord "influencer" then sure, I'd want a bit more security because people are after me. Just like the famous tend to have bodyguards fairly often and I've never needed one in my life.

      • by dgatwood ( 11270 )

        Depends on who you are. I'm just an average schmoe so SMS 2FA is fine for me. Nobody's going to randomly pick me out and go through the hassle of hacking my SIM card.

        And if that's true, then it is also true that choosing a good, strong password will ensure that nobody will get as far as needing the second factor. So:

        • For people who actually need a second factor for reasons other than their own inability to use a password manager, SMS is a useless second factor.
        • For people who don't actually need a second fa
        • False. Any password is susceptible to cracking. I generally use random generated passwords but there are various easy, automated ways those can be compromised. SIM compromising is generally targetted.
          • by dgatwood ( 11270 )

            False. Any password is susceptible to cracking.

            Fine. My password is 895 characters long. Happy cracking. :-)

            Yes, in theory, you are correct, but in practice there's the pesky little problem of the heat death of the universe happening first. Cracking a password, absent a compromise of the database itself, requires that the server not be configured to do any of the following:

            • Handle repeated authentication failures on an account by temporarily limiting access to devices that are already signed in.
            • Detec
            • It doesn't take millions of compute hours to crack a password that is poorly encrypted or not encrypted in transit and captured.

              Easy scenario would be using a public computer. I don't, of course, but let's say I use a buddy's computer and he is infected with something. 2FA would protect me pretty well.

              Another would be a company not using good password handling hygiene. Suddenly a huge list with my password gets out on the (dramatic music, I'm being sarcastic here) "DARK WEB". Again, 2FA helps.

              • by dgatwood ( 11270 )

                It doesn't take millions of compute hours to crack a password that is poorly encrypted or not encrypted in transit and captured.

                Any website not using HTTPS is not secure by its nature, so we can ignore that. And if you can compromise the password database, you can also probably add your own session key or whatever, and skip the sign in entirely, so that's also moot.

                Easy scenario would be using a public computer. I don't, of course, but let's say I use a buddy's computer and he is infected with something. 2

    • A SIM swap will just send the OTP to another phone rather than yours. The attacker can still log in as you.

      The big problem here is you receive an SMS and automatically confirm the log-in on your phone. That means when an attacker logs in as you, your phone automatically confirms the log-in, and your 2FA does nothing. The check is reduced to "is your phone on?"

      We already have a problem with 2FA where an app on your phone asks if you're authorizing a log-in and users, sitting in front of their e-mail,

      • by guruevi ( 827432 )

        The point is that the SMS has embedded in it information that only your phone and the other party knows but cannot be snooped without breaking SSL or your phone, eg. a public key to a particular session. If you receive a message on your phone that is faked, the session ID's won't match up and you break the connection, if another phone receives the message, it will be useless without knowing the private key that's on your phone.

        • An attacker goes to www.yourbank.com and logs in with your user ID and password.

          The bank sends 2FA to your phone.

          Your phone automatically sends 2FA to your bank.

          The attacker is greeted and given access to your accounts, as your phone has input the 2FA token the bank has sent.

          • That's not what this is for (at least my understanding). This is for handing the 2FA code directly to the app without having the app have permission to read all text messages. If the app isn't what requested it, this won't do anything.

            Nevermind the fact that they could help push the use of anything but SMS 2FA.

      • by Corbets ( 169101 )

        I don’t think you understand what’s actually being proposed... an attacker could only “log in as you” in this manner if they already have access to your phone.

        • My phone sends me OTP each time I log into something, and I enter the OTP into the machine from which I logged on. Sometimes I have to get up and go to a window to get signal.

          The point of the proposal is to eliminate the action taken with OTP: it immediately sends the OTP to the challenger.

      • by bsolar ( 1176767 )
        The device being able to automatically process an OTP SMS doesn't mean it has to confirm the login without user interaction. Integrated OTP solutions often provide a small code to recognize the login attempt which the user is supposed to verify and match with the originating site/app before pushing "yes, log in".
      • We already have a problem with 2FA where an app on your phone asks if you're authorizing a log-in and users, sitting in front of their e-mail, think they're about to get logged off and tap "approve".

        So, name me one "authorization" scheme that cannot be "defeated" by jaded click-happy Users?

  • ...a.k.a the "Non-Slashdot" world (planet Earth), everyone uses SMS OTP. Maybe when we populate Mars we will ban the use of SMS OTP, but until then this sounds like a decent proposal.

    • ...a.k.a the "Non-Slashdot" world (planet Earth), everyone uses SMS OTP. Maybe when we populate Mars we will ban the use of SMS OTP, but until then this sounds like a decent proposal.

      Exactly.

      I note that not one of the naysayers and Haters have proposed a workable alternative.

      Pretty telling.

      • A time-based cryptographic generator that's stored as an app on your phone or computer, which generates a new passcode every 30 seconds based on a certificate and key you and the service synchronized at an earlier date. Authy [authy.com] is probably the best one since it tries to protect access to it on your device (need to enter a PIN or password every time you use it, unlike Google Authenticator which assumes if your phone is unlocked that it's you using it), and allows synchronization across multiple platforms (so
    • On the one hand, SMS OTP is currently the most practical scheme.

      On the other hand, including the website URL in the message is a BAD idea. Just like you should never store your user ID with your password.

      In the real world, no matter how many sites a user is logging into, it's happening one login at a time. Including an URL with the message just isn't necessary. if a user is too confused to know which site (or app) gets the OTP, they are going to be making worse mistakes than that.

    • And yet TOTP stored with an identifier to associate it with an app would give them the control to solve this problem themselves. At least for services/apps that have TOTP as an option. This might be a great way to get greater adoption.

      I'm less concerned about the security of SMS and more concerned that every online account wants my cell number.

    • The only SMS OTPs I seem to receive are from Google. Even Apple doesn't use SMS for OTP, preferring to roll their own solution into iOS/macOS based on iCloud push notifications. Everyone else seems to use TOTP.
  • Elon Musk will only take honest people to Mars.
  • Given that SMS is insecure the lack of ability to link a OTP directly with a specific request from the message itself IS A SECURITY FEATURE.

    Apple's proposal would allow automation of breaking OTP, not by luck, not by direct targeted action, but in a remote and widely automated way.

    • by EvilSS ( 557649 )

      Given that SMS is insecure the lack of ability to link a OTP directly with a specific request from the message itself IS A SECURITY FEATURE.

      Apple's proposal would allow automation of breaking OTP, not by luck, not by direct targeted action, but in a remote and widely automated way.

      Except in most cases, the codes for a SMS token come from the same number for a given company/service/site, so it would be trivial to figure out who is sending the code. And quick if you are a bad actor and setup a contact for that number. Additionally, the kind of attack you are talking about is vastly outnumbered by simjacking attacks anyway, which allow the bad guys to login at their leisure.

      What Apple is proposing is a way to ensure the site you type the code into is the legitimate site that should be

      • Except in most cases, the codes for a SMS token come from the same number for a given company/service/site, so it would be trivial to figure out who is sending the code.

        The point isn't who is sending the code. The point is linking the code to an instance. It doesn't help you if Mastercard is sending a code if you can't link the the code to the specific transaction. Apple is talking about being able to identify the transaction. That opens you up to using the codes in conjunction with attacks on the authentication system.

        It's bad enough that Citibank gives you the last 4 digits of the credit card in the OTP SMS. That alone is already too much linking. It would be sufficient

  • Their proposal meant that I can send someone an SMS and get them to access a malicious URL automatically?
  • Android already does this. Messages that come in that are SMS 2FAcodes it extracts and notes the code separately. Smarter apps -- like Bank of America -- finally figured out that a 2FA SMS to the device you're using to log in with in the first place is just an annoyance, not a security issue. They auto-detect the SMS code and fill in the blank for you.

    • by Corbets ( 169101 )

      Apple already does this as well. The proposal seems to be to make it universal instead of requiring some intelligent parsing - Apple sometimes isn’t able to see the code in my experience.

  • by enriquevagu ( 1026480 ) on Thursday January 30, 2020 @01:58PM (#59671692)

    The use of SMS messages as part of a 2FA mechanism is OK: while SIM swapping is a thing, SMS messages complement the other security mechanism (typically, a password) and the combination of the two mechanisms is safer than each of them individually.

    SMS messages are NOT OK as a single-factor authentication mechanism, such as a backup mechanism to recover your email password (hint: never give your phone number to your email provider).

    However, increasing the information contained in the SMS to define the originator of the request seems... weird.

    • Not weird, dangerous!

      If an SMS is linkable to a specific instance then it provides you an attack on the auth system itself. If it's just some number from Citibank whizzing through the SMS world then it's not tracable to a current auth attempt.

      • Example: Losing my key in the park is not an issue. Losing my key in the park with a tag on it that lists my home address and the word "front door" is a BIG problem.

  • I can imagine someone sending SMS in bulk to get people to open Web pages containing WebKit exploits. At least make it a "Would you like to authenticate to example.com?" rather than adding to all those text-rendering-based crafted message attacks.

  • Make the user actually READ the text and type in the 4 to 6 number OTP code. That ENSURES there's a human in there, it's not an automated/scamware tool running to validate you automatically.
  • Just what I want—other applications automatically reading stuff from SMS messages. Bad bad bad idea. Less bad is having a human in the loop who has to type it in, having read it from a message whose format cannot be counted on to be consistent.
  • The part which bugs me about SMS auth codes (other than the insecure part) is that I have to type them in. BUT, I would hate to have it just work with no user interaction. Then what happens if someone manages to subvert a site's auth, and it just goes on through because I'm sitting right there using some other site?

    Personally, I'd prefer either a way for my devices to see each other with bluetooth, and then on one device click "This one's the code, go", and have it all work out. Or a QR code would be fin

  • Yeah, because Apple have been real champions at promoting & adhering to standards, right? How many expensive, defunct, & useless cables, dongles, adaptors, & power supplies have Apple consumers bought over the past 10 years?

Consider the postage stamp: its usefulness consists in the ability to stick to one thing till it gets there. -- Josh Billings

Working...