iOS 12’s Security Code AutoFill feature that lets iPhones and iPads auto-fill security codes when logging into sites and services poses a potential threat, according to researcher Andreas Gutmann. He says the feature could be used to side-step human involvement that could catch a threat and trick users into giving up personal information.
Security Code AutoFill makes the two-factor authentication process easier for end users. When they log in to a site or service that sends a text message with a code they have to enter to complete the process iOS 12 can automate the action. In iOS 11, users need to switch to the Messages app to see the code, then jump back to the app where they need to enter it.
Convenience is great, but Gutmann thinks it could lead to bank fraud. He said,
This new iOS feature creates problems for the use of SMS in transaction authentication. Applied to 2FA, the user would no longer need to open and read the SMS from which the code has already been conveniently extracted and presented. The code is detected in a message based on heuristics such as proximity to the words ‘code’ or ‘passcode’, which are used in messages delivering 2FA codes and TANs alike. Security Code AutoFill on a webpage or in an app is then suggested if the input field is tagged accordingly.
That’s a legitimate concern, although the implication that end users aren’t involved in the auto-fill process isn’t completely correct. Users see a pop-up showing the code from the text message and must tap it to finish logging in. It’s possible someone could reflexively tap the code, but that’s not too different from seeing the code and entering it in iOS 11.
The bigger issue is that text messaging isn’t a very secure platform for two-factor authentication. The idea is you need two elements to complete a login process: something you have, and something you know. The text message code is something you have, and your password is something you know.
A text message with a code can show up on your iPhone, iPad, iPod touch, or Mac making it easy for someone who can see any of your screens to grab the code. Imagine someone logging into your bank account on your Mac, and the two-factor authentication code that should keep them out shows up on the same screen.
Two-factor authentication via text message is more about convenience, although it does offer at least a little more protection than using just a password for the login process. The big message behind Gutmann’s concern is that people need to pay attention when they’re logging in to sites and services to help avoid unintentionally giving someone else access to their accounts.
“A text message with a code can show up on your iPhone, iPad, iPod touch, or Mac making it easy for someone who can see any of your screens to grab the code.”
This is for me a major flaw in Apple’s 2FA implementation. I wish there was a way to set it up so that the code is sent only to my phone rather than to all my registered devices.