Apple recently shared its proposal standardise the format of SMS one-time passwords (OTP) used during two factor authentication (2FA) processes. Messages would contain a url meaning browsers and apps can easily recognise web domains within the message, and automatically complete the authentication process for the user, to minimise the risk of being directed to a fake site as part of a phishing scam.
We asked MEF Members for their views on Apple’s proposal and more generally their insights on standardisation and security for 2FA in enterprise messaging.
Anurag Aggarwal, Associate Director – Messaging Services, Tata Communications
I unequivocally support Apple’s initiative to standardize SMS OTP templates. While, prima facie, this activity does appear cumbersome from a global adoption standpoint, I strongly believe that the rising cases of consumer frauds, phishing and other scams warrants this measure. Even prior to this announcement, India is already working tirelessly on implementing DLT – a blockchain based technology – which would mandatorily necessitate any brand to disclose and adhere to transmitting OTP messages as well as other customer communication via pre-approved templates only.
While such restrictions will definitely pose a level of challenge on enterprises with their customers, I do believe that the benefits far outweigh these concerns, and all industry partners need to work together in making this initiative a success!
William Dudley, Head of Mobile Innovation & Evangelism, SAP Digital Interconnect
Apple undoubtedly has an interesting proposal and while this won’t solve all issues with SMS based 2FA, it can definitely ease the burden of SMS based 2FA on targeted devices. I do believe it can remove some of the phishing risk; however, one still does have to be careful as bad actors could incorporate a phishing site into the 2nd line as well. While it may be caught, it could catch unsuspecting subscribers off guard. Still this proposal offers a simple solution that can improve accuracy and reduce some risk for SMS based 2FA. Going forward, we’ll need this and other industry improvements to SMS and other messaging channels, if we want to continue to use messaging based 2FA delivery.
SAP Digital Interconnect has an authentication service call SAP Authentication 365. I have confirmed we can support this new format in the current version.
Robert Gerstmann – Chief Evangelist & Co-Founder, Sinch
We welcome Apple’s suggestion of standardizing the format of SMS OTPs.
This seems like a way for Apple to enhance the user experience so that apps and web pages can pick up the code more seamlessly. We believe that this move will have a positive impact on both security and usability. Associating OTP messages with a URL works in favor of using approved, secure routes to get messages delivered.
It is not a perfect solution – having a readable PIN does still open up to the risk of social engineering and fraud. But it is a step in the right direction. It will make things more difficult for SIM-farms and P2P masking trying to fraud users. This, in turn, will make SMS a more competitive method of two-factor authentication compared with other channels.
In short, we think that the successful implementation of this idea would have a positive impact on the industry. And Sinch is committed to making this happen.
Jason Lunn, SVP Commercial, IMImobile
Apple’s proposal to standardise the format for SMS OTP/2FA appears to be geared towards improving the user experience and making mobile interactions more frictionless. We have already seen mobile apps being able to register incoming SMS traffic, pick up the 2FA code and proceed – however, such functionality has had challenges in the past due to malware concerns.
Clearly if 2FA is extended to websites it will require all the major browsers to be on board and current authentication processes to be updated, which will slow any potential roll out.
Apple’s proposal is a generally a positive step, but at the same time it’s important to note it won’t be the silver bullet towards making SMS 2FA more secure, as many of the common vulnerabilities (e.g. social engineering or hackers directly targeting customer / password reset portals) will remain.
Harsh Mamgain, Vice President, Product Management, Infinite Convergence
Apple’s proposal to standardize the OTP SMS format will help in reducing phishing attacks and will also make it more convenient for users to use two-factor authentication. As Apple indicated, this proposal does not attempt to reduce risks from attacks such as SIM swap, port-out phone number to different mobile carriers and scanning of SMS messages.
In fact, it could make this even worse in case of SMS content hijacking.
Putting both the URL and the OTP in one SMS enables hackers to gain access of victims’ account effortlessly if they get access to victim’s SMS message. To reduce this risk, additional security measures must be implemented such as validating users one more time (e.g. prompting them to enter the password after pin code is automatically entered) before completing the login operation.
Tracy Molete, Managing Executive – Enteprise and Telco Verticals, Apprentice Valley
It’s an idea that will have to consider the current standards across various MNOs and regulatory bodies across the globe. This might be ideal for fraudsters as well who can now copy the format/standard to easily send fraudulent OTPs. It will also prevent companies from structuring and customising their own messages e.g. add their contact details and some advertising to leverage from the number of characters that can be clutched into one SMS.
On the other hand, if the OTP SMS originates from a verified Alpha-Numeric sender ID ring-fenced for such traffic, it will be more effective because a spoofed sender ID through some grey route would not pass the verification platform and SMS delivery to the end user will not be possible.
Jean Shin, Director of Strategy & Content, tyntec
Apple might be learning that consumers’ appetite for zero friction is high. If you’re one of many users of Apple’s Face ID, it’s easy to see how this proposal reflects the general trend for frictionless user experience.
Coupled with the UX trend, security is the other issue they need to solve in order to boost mobile transactions.
And this proposal is a good solve for improving both – reducing phishing attacks while removing friction. By adding the login URL inside the OTP SMS and automatically parsing to text match the website URL, we can ensure the OTP is used on the intended website, not a fake one.
However, it still doesn’t address the possibility of OTP SMS messages being hijacked in transmission. For that, we need to authenticate the device as well, which is why we partnered with Averon for autonomous authentication.
Also, by using the establish delivery channel SMS, the proposal provides a clear, fast path for adoption – unlike introducing a brand new technology such as Face ID.
Overall, I see it as a positive move for all parties involved, including the service providers such as ourselves as, with the standardization of 2FA SMS messages, we can help mobile operators identify legitimate use cases from our enterprise customers.
Mijo Soldin, Director Operator Strategy and Partnerships, Infobip
The cornerstone of our portfolio are solutions that enhance user experience and provide security for mobile users when interacting with their favourite brands, from SMS 2-factor authentication to Mobile Identity and other digital identity solutions. In light of that, we always support initiatives that promote a better user experience and trust in mobile and digital services. Apple’s proposal adds a new layer of credentials that so far hasn’t been developed.
This will definitely open new use cases in user authentication on websites, and it brings the promise of improved security. It is also an interesting twist on a venerable mobile channel, further establishing SMS as the indispensable element in the authentication space.
The first order of business would be engaging the ecosystem, getting the discussion rolling and defining technical and implementation details.
We are certainly interested in working alongside Apple, Google and other browser developers and the tech community to develop an industry-wide standard.
Dr Piet Streicher, MD, BulkSMS
In a global environment where data privacy and consumer protection are top of mind, Apple’s proposed SMS OTP/2FA format is a step towards offering a customer-centric messaging solution to increase confidence in the SMS channel and reduce phishing attacks.
This would also give assurance to our clients of the continued value of SMS OTP/2FA for their business messaging.
If Apple’s format becomes an accepted standard, then we may well see how an incremental change in a specific message flow encourages the use of embedded URLs in other messaging use cases in the A2P SMS messaging ecosystem.
Sergii Sushchenko – Head of Pre‑Sales Division, Global Message Services
Apple’s continued interest in SMS is very positive news for the SMS industry (as is Google’s interest in verified SMS). Simplification brings clarity, which is good for the end-user – which in turn is good for the whole industry. However, standards rarely lead to complete standardization (just look at the range of phone chargers still being used) and so there is no guarantee everyone, or even a majority, will adopt Apple’s. Accommodations may also have to be made for different languages, particularly those using non-Latin character sets. As a result, Apple’s suggestion provides excellent material for developers, but its ultimate utility depends on those developers adopting it.
The Apple proposed standard offers a simple way for an end user to link the 2FA with the enterprises generating those codes. This method can only improve the efforts of companies like GMS to fight fraud since such model provides much more visibility to the end user and might reduce phishing attempts. Even small improvements matter, of course, and the proposed structure may well help end user’s spot suspect 2FA messages more easily. We hope that in future the only phone charger standard will be wireless, and we will have a single OTP authorization content structure for majority of International A2P Services.
Colin Tan, Product Manager, Messaging, RCS & Digital Solution, Telenor
Some mobile applications have already implemented this but it will be interesting to have it standardized via browsers and applications. Ideally these messages should be sent to the end user in binary mode as this way user will be authenticated without seeing any messages in their inbox.
Implementing a standardized format of OTP / 2FA SMS should reduce the usage of obfuscated text messages being transmitted over grey routes; operator network firewalls will only allow the standard format while all others are blocked, so potentially the cat and mouse game will stop and enterprises will easily know which aggregators are using gray routes to deliver messages.
Telenor Global Wholesale is interested in the approach and will support the development of the new standardization.
Thomas Patrick Ward, Marketing Specialist, RDcom
Despite it not addressing every security concern, I definitely see this as a positive step towards increasing security and combatting fraud, especially as fraudsters are ever improving in deceiving people and carrying out fraud/phishing. This is important as wider demographics of people are using smartphones for activities such as banking and making purchases and may not always be as aware of methods of deception used (I know this is a generalisation but I think it is relevant). The association of an OTPs with specific websites will certainly help reduce the risk of people falling victims of phishing scams and as adoption of the device to conduct everyday sensitive tasks continues to grow, this will certainly assist in reducing fraud and add that extra layer of security and confidence.
I have actually used this on my iPhone before when receiving OTPs for websites and applications, and it is also great from a UX point of view, which is certainly another plus alongside the security considerations!