Highlight
iOS 15 and macOS Monterey build the TOTP verification code generator into the iCloud Keychain password manager, supporting one-click setup, AutoFill autofill, cross-device synchronization and secure backup, making multi-factor authentication safer, cheaper and more reliable than SMS.
Core Content
Password problem
Passwords are the most common authentication method on the Internet, but people are not good at using passwords correctly.Many people reuse passwords or choose passwords that are easy to guess.It’s also easy for attackers to spoof passwords through phishing.
To enhance security, many services add an extra step - Verification Code - to the login process.After the user enters their username and password, they also need to enter a one-time code to confirm their identity.
Hidden dangers of SMS verification codes
Currently the most common method of delivering verification codes is SMS.While AutoFill makes it easy to enter SMS verification codes (one-click fill), SMS has several serious problems:
- Poor security: SMS is easily sniffed by the operator’s network and is also at risk of SIM card swapping attacks
- Network dependent: On an airplane or in a place with weak signal, text messages may be delayed for a long time or even not received.
- High Cost: For service providers, sending millions of text messages is a huge expense.
TOTP: Device generates verification code locally
TOTP (Time-Based One-Time Password) is based on the RFC 6238 standard and generates a short numeric code locally on the device through a secret key and a timestamp.This method does not require communication with the server, is more secure, and has no SMS charges.
But the setup process for TOTP has always been cumbersome: users need to display the QR code on one device, download the authenticator app on another device, and then scan the QR code.This process is difficult for ordinary users to understand.
iCloud Keychain built-in verification code generator
iOS 15 and macOS Monterey build the TOTP verification code generator directly into the iCloud Keychain password manager, solving all the above pain points:
- One-click setting: Add a special link to the TOTP setting page, and users can complete the setting with just two clicks
- AutoFill: Like SMS verification codes, the generated verification codes can be automatically filled into the input box with one click
- Cross-device sync: Verification codes are synced across all devices via iCloud Keychain, so you don’t need to pull out your iPhone to log in on Mac
- Secure Backup: Verification codes are securely backed up in iCloud. If you lose your device, you will not lose your account access.
- End-to-End Encryption: All data in iCloud Keychain is end-to-end encrypted and cannot be accessed by Apple
Detailed Content
How to support one-click setting
(08:06) To make it easy for users to set up verification codes, you need to add a link or button to the TOTP settings page.
TOTP settings typically useotpauth://URL containing base32-encoded secret key, verification code digits, expiration date, and issuer fields.iCloud Keychain uses the issuer field to suggest which account to add the verification code to.
To link directly to iCloud Keychain Password Manager, just prepend the URL withapple-Prefix:
// In the app, open the setup URL from a button tap
func openVerificationCodeSetup(url: URL) {
if let scene = UIApplication.shared.connectedScenes.first as? UIWindowScene {
scene.open(url, options: nil, completionHandler: nil)
}
}
// On the web page, use an anchor tag
// <a href="apple-otpauth://totp/Example?secret=...&issuer=example.com">Set up verification code</a>
Key points:
otpauth://The URL contains all the information needed to set up the captcha generator- plus
apple-After the prefix, the system will directly open the iCloud Keychain password manager - On iOS, via
UIWindowSceneofopenAPI opens this URL - In web pages, you can directly use anchor tags to link
- Need to confirm system support through availability check (availability check)
apple-otpauth://URL, older version systems should hide the settings button
Safari integration for QR codes
(10:02) If you use a QR code image in JPG, PNG, or GIF format, Safari detects the QR code through on-device image analysis.If Safari determines that the QR code containsotpauth://URL that provides the option to set up a verification code generator in the context menu of the QR code image.
Content type annotation of text field
(10:30) In order for AutoFill to know where to fill in the username, password, and verification code, the text field needs to be marked with a content type.
In SwiftUI:
TextField("Verification Code", text: $code)
.textContentType(.oneTimeCode)
In UIKit:
let textField = UITextField()
textField.textContentType = .oneTimeCode
In the web page:
<input type="text" autocomplete="one-time-code" />
Key points:
.oneTimeCodecontent type tells the system that this is a verification code input box- Once marked, AutoFill automatically provides a verification code obtained from SMS or TOTP generator
- Use on the web
autocomplete="one-time-code"property
Domain name binding for SMS verification code
(13:11) If you still need to use SMS verification codes, iOS 14 and macOS Big Sur introduce a domain binding mechanism to enhance security.
Add domain name binding information to the SMS message to tell AutoFill that this verification code is for a specific domain name.AutoFill will only provide a verification code when the domain name matches.This prevents phishing websites from obtaining the user’s SMS verification code.
Domain name binding uses the same associated domains mechanism as Universal Links.If the App has been configured with associated domains, you can directly add domain name binding support.
Core Takeaways
-
Replace SMS verification codes: Support TOTP in the backend of apps and websites to guide users to switch from SMS to verification codes generated locally on the device.This reduces costs, improves security, and improves user experience in offline environments.The entry is generated from the server
otpauth://URL。 -
One-click setup process: On the setup page where the user turns on two-step verification, add a “Set in iCloud Keychain” button.use
apple-otpauth://URL prefix allows users to complete the setup in just two clicks on iOS 15+ devices, eliminating the tedious step of scanning QR codes. -
Enhanced SMS Security: If you cannot completely give up SMS verification codes for the time being, add domain name binding to SMS messages immediately.This prevents phishing attacks from stealing verification codes, and the configuration cost is very low - just reuse the existing associated domains settings.
-
Unified Authentication Experience: Will
textContentType(.oneTimeCode)Applies to all verification code input boxes.This way, users get a consistent one-click fill experience whether the verification code comes from SMS or a TOTP generator.
Related Sessions
- Move beyond passwords — WebAuthn technology preview and introduction to passkeys, the ultimate alternative to passwords
- Meet Face ID and Touch ID for the web — Web-side biometric authentication
- What’s new in Sign in with Apple — Federal certification and Sign in with Apple updates
Comments
GitHub Issues · utterances