Apple’s 2FA autofill feature is now better at blocking phishing attacks
Apple’s SMS 2-factor authentication (2FA) autofill feature has been around for a while now. For those unfamiliar with it, when you receive an SMS with a 2FA code, the iOS keyboard will automatically suggest inserting it in the dedicated field. This spares users the hassle of launching the Messages app, copying the code, then pasting it in the field. iOS 15 brought plenty of new additions, including a built-in 2FA code generator in Apple Keychain. However, plenty of websites and users still rely on SMS 2FA verification — which isn’t the safest or most secure method. To help protect users and dodge thefts and hacks, Apple’s SMS 2FA autofill feature no longer works when it detects potential phishing attacks.
Macworld has reported that Apple’s 2FA autofill from SMS feature no longer works when it detects a potential phishing attack. The change affects users on iOS 15, iPadOS 15, and macOS 11 Big Sur. Back in August 2020, Apple proposed switching to a new SMS format when sending 2FA codes. Messages would arrive as “Your Apple ID Code is: 123456. Don’t share it with anyone. @apple.com #123456 %apple.com” instead of “Your Apple ID Code is 123456. Don’t share it with anyone.” The company said that this shift aims to improve the integrity of its operating systems when auto-filling 2FA codes from SMS.
So users running the latest versions of the company’s operating systems will no longer get the option to auto-fill a 2FA code if the domain name in the SMS doesn’t match that in the browser. While this method won’t completely block phishing, it’ll at least deter some of the attempts. It’s worth noting, though, that websites would have to adopt the new SMS format suggested by Apple for it to work.
If the websites you visit offer the option to use 2FA through a code generator — rather than SMS — then we advise you to switch to that method as it’s more secure than text messages. If you’re running iOS 15, you won’t need to install any third-party 2FA apps for the built-in Keychain supports it now.
Which 2FA app do you use, if any, and why? Let us know in the comments section below.