Tuesday, February 4, 2020 [Tweets] [Favorites]

Delivering Origin-bound One-time Codes Over SMS

Ricky Mondello:

We’ve published an explainer about an idea to harden SMS-delivered one-time passwords by allowing senders to associate the codes with a website. We’ve been talking about the idea with some folks at Google, and would like more feedback.

WebKit (MacRumors):

This proposal attempts to reduce some of the risks associated with SMS delivery of one-time codes. It does not attempt to reduce or solve all of them. For instance, it doesn’t solve the SMS delivery hijacking risk, but it does attempt to reduce the phishing risk.

[…]

But because there is no standard text format for SMS delivery of one-time codes, systems which want to make programmatic use of such codes must rely on heuristics, both to locate the code in the message and to associate the code with a website. Heuristics are prone to failure and may even be hazardous.

[…]

To address this, we propose a lightweight text format that services may adopt for such messages. It’s about as simple as it gets. It begins with (optional) human-readable text. After the human-readable text both the code and the origin appear on a single line, with sigils denoting which is which. This is the last line of the text.

Previously:

Update (2020-04-08): Ricky Mondello:

We’ve moved “Origin-bound one-time codes delivered via SMS” to @wicg_, where we’re working on a shared spec with our collaborators at Google.

Comments

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment