Google Backs Apple's SMS OTP Standard Proposal 40
Google is now backing a standard proposed by Apple engineers in January to create a default format for one-time passcodes (OTP) sent via SMS to users during the two-factor authentication (2FA) process. From a report: The standard, proposed by Apple engineers working on the Safari WebKit project, has now reached the status of official Web Platform Incubator Community Group (WICG) specification draft. "We've moved 'Origin-bound one-time codes delivered via SMS' to @wicg_, where we're working on a shared spec with our collaborators at Google. Please take a look! Updated explainer, and specification," wrote Apple's Ricky Mondello. The proposal aims to fix some issues with the current state of SMS 2FA/OTP codes, all of which have different formats, unique per the websites sending the codes.
SMS? WHY?!?!? (Score:5, Insightful)
I mean... (Score:2)
Re: (Score:1)
Re: (Score:3)
I do not buy that. Walk into your local phone store and try to buy a phone that is not a smart phone. You might be able to do so, but chances are against you. Smartphones have taken over the mobile phone market, comprising roughly 3 out of 4 phones sold worldwide - I'm including the developed world. Those numbers are only going to grow as just last year feature phone shipments dropped 22% worldwide.
https://www.counterpointresear... [counterpointresearch.com]
There is no good reason to use a SIM based delivery mechanism for a security
Re: (Score:2)
There is no good reason to use a SIM based delivery mechanism for a security password. Support for a data based delivery mechanism is widely available.
You can deliver data over SMS as well as over a data connection. Receiving SMS is often free. Having a data plan often requires an additional fee. If an OTP delivered over SMS has some standard format than you can encrypt the OTP; e.g. send it encrypted with recipient's private key.
Re: (Score:2)
If the answer is between "Leave SMS OTPs alone" and "Improve the experience somewhat", there's no reason not to take the latter path; I agree that phasing out SMS auth, given the insecurity of it, is the direction we need to go, but that's not going to happen instantly, and as we move to sunsetting the idea of SMS OTPs, we should do what we can to make the experience as good as is reasonable.
"make the experience as good as is reasonable" isn't really a good argument for not phasing this out ASAFP.
Given the two companies being mentioned here, this is one of those times they should (ab)use their market power to make this happen as quickly as possible.
Re: (Score:2)
I checked the spec and it does nothing to prevent SIM cloning/theft. It's basically worthless and better alternatives already exist.
The only reason web sites like SMS is to harvest your phone number.
Re: (Score:2)
You have to ask :)
It allows google and others to link your phone to another device, this way people who use general purpose devices at home or the office can be linked to your Cell
I never allow 2FA on my cell and pretend I do not even have a cell when asked.
Re: (Score:3)
SMS authentication is popular since it is the easiest and cheapest way to add a second authentication factor on top of the username and password. Other alternatives that I have seen all require the end user to have an additional piece of hardware (such as a SecurID or U2F token which increases the cost for the site). And depending on how its done, it may not work on all platforms either (e.g. if its a device that plugs in somehow rather than just being a token generator)
Re: SMS? WHY?!?!? (Score:1)
SMS also allows companies to further build a profile about you, personalize any ads delivered that much better, text you about new and useless shit you don't need, and is an asset when they decide to up and sell all of your information to whoever.
Best of all, when someone clones your SIM all this fancy two factor stuff does jack shit to protect you or your information, and further, depending on how well a hacker manages to mimic yourself, it might help implicate you in whatever nefarious shit he's up to. Bo
Re: (Score:2)
It's popular, cheap and insecure. If all you're after is a bit of security theater, fine, but unfortunately that crap is marketed as "secure". And that it ain't.
Re: (Score:3)
SMS authentication is popular since it is the easiest and cheapest way to add a second authentication factor on top of the username and password.
... and is among the least secure way to do it.
Other alternatives that I have seen all require the end user to have an additional piece of hardware [or software]
... which is what makes it so much more secure.
Again the choice is: convenience, or security.
Re: (Score:1)
And if you don't understand why the user will always pick convenience then you're fighting a losing battle.
HOTP and TOTP (Google Auth, Microsoft, Symantec) (Score:2)
> Other alternatives that I have seen all require the end user to have an additional piece of hardware
There are a dozen apps from major companies which all use the TOTP and HOTP protocols. There are also hardware tokens that do the same. Examples of HOTP/TOTP solutions include:
Google Authenticator
Microsoft Authenticator
Symantec
Duo
Ubikey (hardware)
These two related protocols let the user choose whether to use a hardware device or choose which app to use, and you can use the same app for many sites and ser
Re: HOTP and TOTP (Google Auth, Microsoft, Symante (Score:1)
The security for my bank is not to have any sort of an online connection to them. Their 'app' can be skipped, their web portal never logged onto.
Re: (Score:2)
Re: (Score:2)
What about TOTP? It's free, you can use any number of apps for it.
SMS is relatively expensive. The network charges for every one sent. SMS has geographic problems too, say you roam to a country that isn't on your plan or on the service's plan then you both get a big bill for every message sent. It's not just the SMS cost either, they will need an SMS gateway service too.
Back when I was working on IoT stuff a few years ago everyone was trying to get away from SMS. As well as the expense you can't send much d
Re: (Score:2)
Well it seems like the standard is related to how to format the OTP message. It seems like it could be used regardless of the technology used to deliver it. So it seems like it could be used to send the OTP in SMS, RCS, iMessage, Signal, or whatever other app/protocol you want.
It seems like part of the intention is to allow the OTP to be send directly to the device via a side-channel, so that it can be parsed and the used directly by the browser. So one possible application of this could be that you hav
Re: (Score:1)
Your Slashdot account isn't that important (401k i (Score:2)
My kid's bike has very different level of security protecting it from theft than the jewelry store down the road has. I definitely don't hire armed guards to protect her $50 bicycle. I would hire armed guards to protect the Mona Lisa.
My mom is retired. She had saved enough money to live on for 20 years. So CharlesSchwab.com needs to have high security, because the impact of unauthorized access would like be very high. My Slashdot account has only the password. No additional second factor is required, has
You have a point there (Score:2)
That's a reasonable counter-argument.
Re: (Score:2)
Why on earth would they be pushing for anything that uses SMS for authentication!?
Because it is cheap and (usually) better than nothing.
Re: (Score:2)
Because most people have mobile phones these days. :(
Re: (Score:3)
They're not pushing anything.
They're addressing a problem with SMS for authentication that is already is use.
I'm pretty sure if Apple wanted to push something, they'd make a i2FA :)
This is a pretty quick and dirty standard that can help the current situation.
For example, this becomes an easy standard by which a platform can associate a OTP with an app/website. For example, on Android for OTP to work automatically via SMS, the application basically has to have full permission to read ALL your SMS messages. T
Allow certain msg apps instead (Score:1)
I would rather prefer they allow specific approved messaging apps that have ENCRYPTION of all things, along with openness etc.. for us to use instead of SMS.
For example, Signal App. Preferably something open source and not owned by a conglomerate like Facecrook (WhatsApp) or crApple (iMessage).
Re: (Score:1)
Re: (Score:2)
In the end, you'll still install some sort of app, or what do you think is going to interpret that QR code?
Re: (Score:2)
Yes, but I want to be able to choose my own (trusted, open source) app.
To what end? (Score:2)
OTP codes aren't intended to be memorable, so who cares if they look the same? In fact, wouldn't a standard be determined by the harshest need so they'd often be unnecessarily long and complex where you don't really care if there's a 1/10000 chance of getting it right by guessing. Not everything needs a "one in a billion" six character alphanumeric code like my online bank uses.
Re: (Score:2)
They're suggesting a standard message, not a standard code. More or less, rather than having to build a parser for each and every message, the mobile platform vendors would rather have a standard format for those messages (e.g. "Your code is: [code here]") so that they know how to accurately pull the code out programmatically so that you can easily paste it into your app or whatever else.
Re: (Score:2)
I think part of this idea is to allow apps to intercept the SMS code, so it doesn't have to be displayed at all.
Re: To what end? (Score:1)
Re: (Score:2)
Stop using SIM based authentication already (Score:2)
This implementation is a good idea that is poorly executed and needs to be stopped now before it becomes a widely adopted standard. OTP itself /is/ a good concept, but the delivery mechanism gives it negative value. This is because the proposed standard depends on a SIM and a SIM is highly susceptible to cloning and theft.
This is a bit like putting a nice strong security gate across a road with wide grass shoulders. You can readily drive around the gate by going over the curb. Better to kill the standard no
Incomplete Story (Score:2)
Don't forget, Google Authenticator is the standard way of doing non-SMS OTP... Apple seems wanting to trash that.
Behind Barn (Score:1)
These arseholes should all be collected up and taken out behind the barn and shot, ridding the planet of a bunch of useless stupid arseholes. This should be done before they breed and pass their stupid arsehole gene further into the gene pool. If they have already bred, then all their descendants should also be taken out behind the barn and shot with them.
Please stop, stupid 2nd factor (Score:3)
Most people's primary access to services is the phone. That's where they use their password/pin (1st factor, "what they know"). On the same phone where the SMS arrives to. If I'm already on the phone, why the frick do I have to receive a SMS, too? That only proves the mobile phone network is operational.