Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Google Security Apple IT Technology

Google Backs Apple's SMS OTP Standard Proposal 40

Google is now backing a standard proposed by Apple engineers in January to create a default format for one-time passcodes (OTP) sent via SMS to users during the two-factor authentication (2FA) process. From a report: The standard, proposed by Apple engineers working on the Safari WebKit project, has now reached the status of official Web Platform Incubator Community Group (WICG) specification draft. "We've moved 'Origin-bound one-time codes delivered via SMS' to @wicg_, where we're working on a shared spec with our collaborators at Google. Please take a look! Updated explainer, and specification," wrote Apple's Ricky Mondello. The proposal aims to fix some issues with the current state of SMS 2FA/OTP codes, all of which have different formats, unique per the websites sending the codes.
This discussion has been archived. No new comments can be posted.

Google Backs Apple's SMS OTP Standard Proposal

Comments Filter:
  • SMS? WHY?!?!? (Score:5, Insightful)

    by Sebby ( 238625 ) on Tuesday April 07, 2020 @03:48PM (#59918618)
    Why on earth would they be pushing for anything that uses SMS for authentication!?
    • If the answer is between "Leave SMS OTPs alone" and "Improve the experience somewhat", there's no reason not to take the latter path; I agree that phasing out SMS auth, given the insecurity of it, is the direction we need to go, but that's not going to happen instantly, and as we move to sunsetting the idea of SMS OTPs, we should do what we can to make the experience as good as is reasonable.
      • by Anonymous Coward
        I disagree. Making it easier to do the wrong thing is a bad idea.
      • I do not buy that. Walk into your local phone store and try to buy a phone that is not a smart phone. You might be able to do so, but chances are against you. Smartphones have taken over the mobile phone market, comprising roughly 3 out of 4 phones sold worldwide - I'm including the developed world. Those numbers are only going to grow as just last year feature phone shipments dropped 22% worldwide.

        https://www.counterpointresear... [counterpointresearch.com]

        There is no good reason to use a SIM based delivery mechanism for a security

        • by vyvepe ( 809573 )

          There is no good reason to use a SIM based delivery mechanism for a security password. Support for a data based delivery mechanism is widely available.

          You can deliver data over SMS as well as over a data connection. Receiving SMS is often free. Having a data plan often requires an additional fee. If an OTP delivered over SMS has some standard format than you can encrypt the OTP; e.g. send it encrypted with recipient's private key.

      • by Sebby ( 238625 )

        If the answer is between "Leave SMS OTPs alone" and "Improve the experience somewhat", there's no reason not to take the latter path; I agree that phasing out SMS auth, given the insecurity of it, is the direction we need to go, but that's not going to happen instantly, and as we move to sunsetting the idea of SMS OTPs, we should do what we can to make the experience as good as is reasonable.

        "make the experience as good as is reasonable" isn't really a good argument for not phasing this out ASAFP.

        Given the two companies being mentioned here, this is one of those times they should (ab)use their market power to make this happen as quickly as possible.

    • by AmiMoJo ( 196126 )

      I checked the spec and it does nothing to prevent SIM cloning/theft. It's basically worthless and better alternatives already exist.

      The only reason web sites like SMS is to harvest your phone number.

    • by jmccue ( 834797 )

      You have to ask :)

      It allows google and others to link your phone to another device, this way people who use general purpose devices at home or the office can be linked to your Cell

      I never allow 2FA on my cell and pretend I do not even have a cell when asked.

    • by jonwil ( 467024 )

      SMS authentication is popular since it is the easiest and cheapest way to add a second authentication factor on top of the username and password. Other alternatives that I have seen all require the end user to have an additional piece of hardware (such as a SecurID or U2F token which increases the cost for the site). And depending on how its done, it may not work on all platforms either (e.g. if its a device that plugs in somehow rather than just being a token generator)

      • SMS also allows companies to further build a profile about you, personalize any ads delivered that much better, text you about new and useless shit you don't need, and is an asset when they decide to up and sell all of your information to whoever.

        Best of all, when someone clones your SIM all this fancy two factor stuff does jack shit to protect you or your information, and further, depending on how well a hacker manages to mimic yourself, it might help implicate you in whatever nefarious shit he's up to. Bo

      • It's popular, cheap and insecure. If all you're after is a bit of security theater, fine, but unfortunately that crap is marketed as "secure". And that it ain't.

      • by Sebby ( 238625 )

        SMS authentication is popular since it is the easiest and cheapest way to add a second authentication factor on top of the username and password.

        ... and is among the least secure way to do it.

        Other alternatives that I have seen all require the end user to have an additional piece of hardware [or software]

        ... which is what makes it so much more secure.

        Again the choice is: convenience, or security.

        • And if you don't understand why the user will always pick convenience then you're fighting a losing battle.

      • > Other alternatives that I have seen all require the end user to have an additional piece of hardware

        There are a dozen apps from major companies which all use the TOTP and HOTP protocols. There are also hardware tokens that do the same. Examples of HOTP/TOTP solutions include:
        Google Authenticator
        Microsoft Authenticator
        Symantec
        Duo
        Ubikey (hardware)

        These two related protocols let the user choose whether to use a hardware device or choose which app to use, and you can use the same app for many sites and ser

      • even an authenticator APP is 100's of times more secure than an SMS. there really is no justification for using SMS in this day and age to as a MFA mechanism, it is too easily compromised.
      • by AmiMoJo ( 196126 )

        What about TOTP? It's free, you can use any number of apps for it.

        SMS is relatively expensive. The network charges for every one sent. SMS has geographic problems too, say you roam to a country that isn't on your plan or on the service's plan then you both get a big bill for every message sent. It's not just the SMS cost either, they will need an SMS gateway service too.

        Back when I was working on IoT stuff a few years ago everyone was trying to get away from SMS. As well as the expense you can't send much d

    • Well it seems like the standard is related to how to format the OTP message. It seems like it could be used regardless of the technology used to deliver it. So it seems like it could be used to send the OTP in SMS, RCS, iMessage, Signal, or whatever other app/protocol you want.

      It seems like part of the intention is to allow the OTP to be send directly to the device via a side-channel, so that it can be parsed and the used directly by the browser. So one possible application of this could be that you hav

    • by AHuxley ( 892839 )
      NSA and GCHQ like the methods in use?
    • My kid's bike has very different level of security protecting it from theft than the jewelry store down the road has. I definitely don't hire armed guards to protect her $50 bicycle. I would hire armed guards to protect the Mona Lisa.

      My mom is retired. She had saved enough money to live on for 20 years. So CharlesSchwab.com needs to have high security, because the impact of unauthorized access would like be very high. My Slashdot account has only the password. No additional second factor is required, has

    • by gweihir ( 88907 )

      Why on earth would they be pushing for anything that uses SMS for authentication!?

      Because it is cheap and (usually) better than nothing.

    • by antdude ( 79039 )

      Because most people have mobile phones these days. :(

    • They're not pushing anything.

      They're addressing a problem with SMS for authentication that is already is use.

      I'm pretty sure if Apple wanted to push something, they'd make a i2FA :)
      This is a pretty quick and dirty standard that can help the current situation.

      For example, this becomes an easy standard by which a platform can associate a OTP with an app/website. For example, on Android for OTP to work automatically via SMS, the application basically has to have full permission to read ALL your SMS messages. T

  • I would rather prefer they allow specific approved messaging apps that have ENCRYPTION of all things, along with openness etc.. for us to use instead of SMS.

    For example, Signal App. Preferably something open source and not owned by a conglomerate like Facecrook (WhatsApp) or crApple (iMessage).

    • Frankly, I'd prefer a more disconnected approach, like Authy/Google Authenticator TBOTP. But half the time, that turns into "buy this token/download our app" rather than "Here's a QR code with the seed" (looking at you, Square and Blizzard), so forcing that might just create more situations where I'm forced to install Yet Another Crap App rather than being able to use tools I have already.
  • OTP codes aren't intended to be memorable, so who cares if they look the same? In fact, wouldn't a standard be determined by the harshest need so they'd often be unnecessarily long and complex where you don't really care if there's a 1/10000 chance of getting it right by guessing. Not everything needs a "one in a billion" six character alphanumeric code like my online bank uses.

    • They're suggesting a standard message, not a standard code. More or less, rather than having to build a parser for each and every message, the mobile platform vendors would rather have a standard format for those messages (e.g. "Your code is: [code here]") so that they know how to accurately pull the code out programmatically so that you can easily paste it into your app or whatever else.

      • I think part of this idea is to allow apps to intercept the SMS code, so it doesn't have to be displayed at all.

        • What's app does this already on android. Why would anyone else need to parse done random websites otp?
        • Yes, and this is something to be strongly discouraged. It makes app devs ever more reliant on a flawed mechanism that should not and cannot be trusted for OTP delivery.
  • This implementation is a good idea that is poorly executed and needs to be stopped now before it becomes a widely adopted standard. OTP itself /is/ a good concept, but the delivery mechanism gives it negative value. This is because the proposed standard depends on a SIM and a SIM is highly susceptible to cloning and theft.

    This is a bit like putting a nice strong security gate across a road with wide grass shoulders. You can readily drive around the gate by going over the curb. Better to kill the standard no

  • Don't forget, Google Authenticator is the standard way of doing non-SMS OTP... Apple seems wanting to trash that.

  • These arseholes should all be collected up and taken out behind the barn and shot, ridding the planet of a bunch of useless stupid arseholes. This should be done before they breed and pass their stupid arsehole gene further into the gene pool. If they have already bred, then all their descendants should also be taken out behind the barn and shot with them.

  • by Gabest ( 852807 ) on Wednesday April 08, 2020 @02:07AM (#59920344)

    Most people's primary access to services is the phone. That's where they use their password/pin (1st factor, "what they know"). On the same phone where the SMS arrives to. If I'm already on the phone, why the frick do I have to receive a SMS, too? That only proves the mobile phone network is operational.

Whoever dies with the most toys wins.

Working...