{"id":116302,"date":"2020-08-04T13:45:08","date_gmt":"2020-08-04T13:45:08","guid":{"rendered":"https:\/\/developer.apple.com\/news\/?id=z0i801mg"},"modified":"2020-08-04T13:45:08","modified_gmt":"2020-08-04T13:45:08","slug":"enhance-sms-delivered-code-security-with-domain-bound-codes","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2020\/08\/04\/enhance-sms-delivered-code-security-with-domain-bound-codes\/","title":{"rendered":"Enhance SMS-delivered code security with domain-bound codes"},"content":{"rendered":"
<\/div>\n

Many websites and apps offer additional login security in the form of SMS-delivered codes. On iPhone, Security Code AutoFill makes it easy for people to quickly supply these codes by offering them in the QuickType bar. On a Mac running macOS Big Sur, Mac Catalyst and AppKit apps can take advantage of this feature as well. <\/p>\n

Additionally, starting with iOS 14 and macOS Big Sur, we\u2019re adding an extra layer of security to SMS-delivered codes by allowing you to associate codes with a specific web domain.<\/p>\n

How domain-bound codes work<\/h3>\n

When you use a domain-bound code, AutoFill will suggest the code if \u2014 and only if \u2014 the domain is a match for the website or one of your app\u2019s associated domains. For example, if you receive an SMS message that ends with @example.com #123456<\/code>, AutoFill will offer to fill that code when they interact with example.com, any of its subdomains, or an app associated with example.com. If instead you receive an SMS message that ends with @example.net #123456<\/code>, AutoFill will not offer the code on example.com or in example.com\u2019s associated app. This makes it harder for an attacker to trick someone into entering one-time codes into a phishing site.<\/p>\n

<\/div>\n

While iOS and macOS will also display regular SMS-delivered codes in addition to domain-bound codes, we encourage everyone employing this authentication method to adopt this standard to provide a more secure experience for people on your website or app. If a message contains no domain information, it will continue to be offered in all relevant fields through AutoFill.<\/p>\n

How to set up SMS domain-bound codes<\/h3>\n

You can take advantage of domain-bound codes on both websites and apps with associated domains.<\/p>\n

Set up domain-bound codes for your website<\/strong>
\nIn most cases, AutoFill should work automatically on Safari for iOS and macOS Big Sur, and requires no additional information from you. In cases where it does not, you can add the autocomplete=one-time-code<\/code> attribute to your web page\u2019s text field. This cues Safari to offer applicable codes in that field.<\/p>\n

Set up domain-bound codes for your app<\/strong>
\nYou can support domain-bound codes by providing an associated domain for your app. If you support Universal Links for your domain, or if AutoFill is currently suggesting saved passwords for your domain in your app\u2019s login screens, your app is already associated with your domain.<\/p>\n

Learn more about supporting associated domains<\/a><\/p>\n

Note: If you\u2019re running into issues when testing your app\u2019s login flows, you may need to provide an additional hint about which fields in your app are one-time code fields. For iOS and Mac Catalyst apps, set the field\u2019s textContentType<\/code> property to UITextContentType.oneTimeCode<\/code>. For AppKit apps on macOS, NSTextField<\/code> has a contentType<\/code> property that you should set to NSTextContentTypeOneTimeCode<\/code>.<\/em><\/p>\n

\n

How to format SMS domain-bound codes<\/h3>\n

Once your app or website is set up to receive domain-bound codes, you\u2019ll need to provide a simple addition to the SMS messages you send through your backend service to include both the domain and code. Here\u2019s what the text you\u2019ll send looks like:<\/p>\n

123456 is your Example code. @example.com #123456<\/code><\/pre>\n
Everything above the last line of the message is freeform. You’re free to customize this part however you like, but it should be something that makes sense to people receiving the code.<\/p>\n
The last line of this message gives AutoFill on iPhone, iPad, or Mac the information it needs to bind the domain and code together and suggest the code for the appropriate website or app.<\/p>\n
In order for domain-bound codes to work properly, you must include this information in the last line of the message, and it must contain the domain and code in the correct order. <\/p>\n
@example.com<\/code><\/p>\n
This is the first part of that last line, and contains the domain of the app or website where you want the code to fill in. Make sure to put a single space after your domain before you begin the segment with your one-time code.<\/p>\n
#123456<\/code> (represents the code 123456)<\/p>\n
The second part of the last line begins with # and contains the string with your app or website\u2019s one-time code.<\/p>\n
Improve your SMS-delivered codes<\/h3>\n
Domain-bound codes are straightforward for developers to implement, easy for people using your apps and websites to understand, and add more security to the SMS-delivered codes. You can also learn more about domain-bound codes and the development of the message format in the W3C\u2019s Web Platform Incubator Community Group.<\/p>\n
Resources<\/h3>\n
Learn more about domain-bound codes<\/a><\/p>\n
Allowing Apps and Websites to Link to Your Content<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Many websites and apps offer additional login security in the form of SMS-delivered codes. On iPhone, Security Code AutoFill makes it easy for people to quickly supply these codes by offering them in the QuickType bar. On a Mac running macOS Big Sur, Mac Catalyst and AppKit apps can take advantage of this feature as […]<\/p>\n","protected":false},"author":2,"featured_media":116303,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[55],"tags":[],"class_list":["post-116302","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-apple-developer-news"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/116302","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=116302"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/116302\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media\/116303"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=116302"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=116302"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=116302"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}