Apple’s WebKit team has a proposal to standardize and secure SMS two-factor authentication codes with URLs (via ZDNet).
There are two parts to the team’s idea. The first is to associate these SMS codes with a URL, by adding the URL directly into the text. The second part would be a bit harder: Standardizing this format so that other browsers and apps can work with these messages. However, Google Chromium engineers are already working with the WebKit team. Mozilla hasn’t given feedback (yet).
It would eliminate user interaction, because a browser or app could automatically detect the SMS, read the web domain, extract the passcode, and log you in. The format would look like this, as an example:
747723 is your WEBSITE authentication code.
With this proposal, if a person falls for a phishing website, there would be a mismatch between the URL in the text and the URL of the fake website. The system could then alert the person that they don’t match.
It’s a great idea but it still doesn’t solve the biggest weakness with SMS two-factor authentication: SIM swapping. In this attack, a someone could pretend to be you and get your carrier to transfer your number to the attacker’s SIM card. They would then be able to receive your SMS codes, even with WebKit’s proposal.
One way to mitigate this threat is to create a SIM PIN, and I explain how to do that with the link below.