One of Apple's under-appreciated features is the autofill codes iOS scans. Whenever a one-time passcode (OTP) or a code arrives in your SMS inbox, iOS automatically scans the message for OTP and presents a button for filling it with one tap. However, the functionality was being targeted by phishing hackers and cybercriminals.
According to a report from Macworld, Apple's 2FA autofill no longer works when it detects a potential phishing attack. The feature was introduced with iOS 15, iPadOS 15, and macOS 12 Monterey. Apple is now asking companies to send SMS codes in a new secure format. As per the new format, messages should read something as "Your Apple ID Code is: 123456. Don’t share it with anyone. @apple.com #123456 %apple.com" instead of "Your Apple ID Code is 123456. Don’t share it with anyone."
The new format will only offer autofill verification codes when the domain matches. For example, if you sign in on a website that claims to be apple.com but the link is to apple.securelogin.com, which may be phishing, iOS won't offer you the 2FA autofill code. According to Macworld, the format should be:
- A standard human-readable message, including the code, followed by a new line.
- The scoped domain as
- The code repeated again as
- If the site uses an embedded HTML element, called an iframe, the source of the iframe is listed after %, such as
%ecommerce.example. (The original spec specifies @; Apple appears to be using % for its texts.)
While the new format isn't full-proof, it will still deter some of the phishing attempts. It's worth noting that the autofill codes now work only when the website sends SMS in the new format and none other. If you don't like SMS 2FA, you can opt for Apple's in-built authentication tool. You can access the tool by going to Settings → Passwords → select the website for which you want to enable 2FA → Set Up Verification Code.