Apple Introduces Domain-Bound SMS Codes for Stronger 2FA

Last updated June 16, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist
Source: Apple

Two-factor authentication is a step towards better security when attempting to log in on an online platform or to authenticate for a transaction. Even SMS-based implementations are better than just filling out your passwords. However, hackers have repeatedly shown their capacity to intercept these SMS messages and use them to take over target accounts.

Apple is looking to plug another hole in that regard, making the interception from malicious actors harder, and rendering “AutoFill” into a more secure system that users will feel comfortable trusting.

Starting with iOS 14 and also the macOS Big Sur, developers will get the option to associate SMS-delivered codes with specific web domains. This means that the “AutoFill” system will check the incoming code, verify that it’s from the defined domain, and only offer to fill it out if the user is indeed on the right domain.

If they’re browsing on a phishing website that looks like the real thing but isn’t, AutoFill will not offer the code, leaving the user to manually fill it out. This step should be a clear sign that something’s wrong, so the user would stop right there.

verify manually

Source: Apple

Apple is giving the following example of how this works:

“If you receive an SMS message that ends with @example.com #123456, AutoFill will offer to fill that code when they interact with example.com, any of its subdomains, or an app associated with example.com. If instead you receive an SMS message that ends with @example.net #123456, AutoFill will not offer the code on example.com or in example.com’s associated app.”

While this is just an optional extra layer of security, Apple encourages website and app developers to adopt the new standard. Apple has done its part by introducing the system, but it’s on the developers’ hands to actually bring the benefit to the users and help ramp up their security.

Even then, hackers still have ways to intercept 2FA codes, so if you want the best possible solution, you’d better use a software-based tool like Authy or Google Authenticator. But then again, even these aren’t totally safe from sophisticated malware, as we have seen in the recent past.

Apple is taking a step in the right direction with domain-bound codes, and this is, without a doubt, a security enhancer. Moreover, the new system will also replace the need to implement heuristical extraction systems that work reliably. Finally, no SMS message content will be exposed to websites, so there are no privacy or security worries that arise from the introduction of the new system.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: