A new feature in iOS 12 makes it easier for you to handle two-factor authentication (2FA) requests. But the process has provoked the ire of one security researcher who says it could cause real security problems, at least for some European online-banking customers.
In iOS 12, already available for beta testing, there's a new Security Code AutoFill feature. When you receive a one-time passcode (OTP) sent to your phone via SMS for two-factor authentication purposes, the Security Code AutoFill automatically retrieves the number and gives you the option, above the keyboard, to simply tap on the code to populate the required field. A note above the number will say "From Messages" to let you know from which app the number was retrieved.
The idea is to make it easier for you to log into 2FA-enabled accounts and services. Ostensibly, if Apple sends a one-time code to your phone and you see it come in, you won't need to jump between apps to get the code and log in.
This makes sense within an American context, but it may be dangerous in Europe, where many online banks, especially in German-speaking countries, use an additional security feature.
That's a really nice TAN
Like some American banks, German banks require you to submit a one-time passcode sent to your phone to log into your account, even if you only want to check the balance.
But if you want to make a payment or otherwise move money around, the bank will ask you to submit a second one-time code sent to your phone so that you can confirm that you, and not some random stranger, is initiating the transaction.
This second code is called a transaction authentication number (TAN), and unless you submit it, you can't do much with your online account, even if you've already logged in. If you see a TAN message pop up on your phone, and you know you haven't initiated a transaction in the past few minutes, then you're supposed to NOT enter the TAN and to call the bank instead to let it know something funny is going on.
Can Apple tell the difference?
It's precisely that crucial moment of decision -- the acceptance or rejection of a TAN -- that Apple's Security Code AutoFill feature may undermine, writes Andreas Gutmann, a German native who's a researcher at OneSpan's Cambridge Innovation Center and a doctoral candidate at University College London.
He's worried that Security Code AutoFill might not be able to tell the difference between a one-time passcode required to log into an account and a TAN required to perform a transaction.
"Unless this feature can reliably distinguish between OTPs in 2FA and TANs in transaction authentication, we can expect that users will also have their TANs extracted and presented without context of the salient information, e.g. amount and destination of the transaction," Gutmann wrote on a UCL blog last month. "Yet, precisely the verification of this salient information is essential for security."
On a second blog posting a few days ago, Gutmann added that the Security Code AutoFill feature could "expose users to online banking fraud by removing the human validation aspect of the transaction signing/authentication process" -- in other words, the TAN.
"The fact that a user verifies this salient information is precisely what provides the security benefit," Gutmann wrote. "Removing that from the process renders it ineffective."
Gutman, whose comments were reported on earlier by 9to5Mac, said that Apple's Security Code AutoFill feature could make banking customers more vulnerable to man-in-the-middle attacks. If a customer can't tell if a code is an OTP or a TAN, he or she might authorize the movement of money out of an account without knowing it. Attackers could also trick users by spoofing the mechanism of Security Code AutoFill with malicious apps or websites, Gutmann wrote.
TANs aren't used by North American banks yet, but they may be in the future, if only because European banks seem to lead the way in security methods.
There are better ways to 2FA
Two-factor authentication has become a useful way for companies, such as banks and phone manufacturers, to improve security. The idea is to have you input something you know (a password) and verify your identity with information transmitted only to something you have (your phone). After you input a password, the company will somehow send a code to your phone, which you can input and verify that it's really you who's signing in.
That said, two-factor authentication isn't necessarily a security panacea.
How the one-time passcode is sent to the phone is crucial, and SMS messages, which are transmitted in plaintext over regular phone connections, are the easiest kind to steal or forge. More secure are OTPs that arrive via encrypted internet-based apps, or OTPs generated by apps such as Google Authenticator.
And even with the strongest 2FA method enabled, people can still be duped into handing over information.
Apple's new Security Code AutoFill feature doesn't really reinvent the two-factor wheel. Quite the contrary; it fetches some information that was already sent to you. Arguably, the easiest way to sidestep Gutmann's fears is to simply go to your Messages app and verify a one-time passcode or a TAN before you input it.