Apple introduced a new feature with iOS 12 beta that makes it easier for users to deal with two-factor authentication (2FA) requests. The process essentially eliminates the need for the user to switch between multiple apps when they receive a code as the operating system can handle it for them by fetching codes sent via SMS. Known as the iOS 12 Security Code AutoFill feature, the process retrieves the one time password and offers the user to tap on the code above the keyboard to populate the field, never leaving their app to head over to Messages to check the code.
While SMS based authentication has never been secure, this process makes it even weaker by eliminating the “human validation aspect of the transaction signing/authentication process,” said Andreas Gutmann, a researcher at OneSpan’s Cambridge Innovation Centre.
Related How Thousands of iOS and Android Apps Are Collectively Leaking Data of Millions of Users
The problem is how multiple codes will be handled by iOS 12. While it does offer convenience by removing the need to jump between multiple apps to get the code, banking apps not only send one time passwords for authentication but another code when a transaction is being made online. This may not be a widespread policy used by the American banks, but several in Europe and elsewhere in the world offer this double protection – one code to get you to log in to your account and a second code that is demanded whenever you want to make a transaction.
It is this second code that Gutmann believes should be controlled by a human (via 9to5Mac).
Transaction authentication, as opposed to user authentication, attests to the correctness of the intention of an action rather than just the identity of a user. It is most widely known in online banking, and in particular as a way to meet the EU’s Revised Payment Services Directive (PSD2) requirement for dynamic linking, where it is an essential tool to defend against sophisticated attacks.
Gutmann explains that Apple may not be able to distinguish between 2FA code and the transaction authentication number (TAN).
Related Apple Takes Its Biggest Stand Yet Against Facebook and Advertisers
“Unless this feature can reliably distinguish between OTPs in 2FA and TANs in transaction authentication, we can expect that users will also have their TANs extracted and presented without context of the salient information, e.g. amount and destination of the transaction,” Gutmann wrote. “Yet, precisely the verification of this salient information is essential for security.”
He added that Security Code AutoFill could be used by man-in-the-middle attacks on users accessing their banking accounts from Safari. It could also expose users to online banking fraud if a user can’t tell the difference between 2FA and TAN code being shown to them inside the app, unwittingly authorizing a transaction made by someone else on their account. Since TAN messages usually carry a summary of the transaction being made, it protects users from authorizing any payments that haven’t been made by themselves.
You can read more about Gutmann’s concerns with this new iOS 12 feature over here. While we aren’t sure what added protections Apple might add to this new feature before it’s released to the public, you can always choose to hop over to Messages to confirm a code.