As it appears, a new component of the iOS 12, which is designed to improve the accessibility of two-factor authentication for users, could, in fact, be negating some of the security benefits that the system is designed to bring. By automating the input of codes, and removing the human validation element of the process, Security Code AutoFill could be opening users up to potential banking fraud and other security issues.
Two-factor authentication (2FA) is a security feature commonly used for sensitive services, in particular, financial services such as online banking and payment processing. With 2FA, users are required to not only enter their password to use these services but also to input a one-time password (OTP) which is either sent to a mobile device or provided by an external app.
Apple’s Security Code AutoFill is designed to improve the usability of the system. By using the AutoFill feature, iOS users can allow their devices to examine incoming SMS messages for an OTP. When iOS detects a message containing an OTP, it will suggest the relevant code as an option at the top of the default iOS keyboard.
Currently, on iOS at least, these codes rely on the user either memorizing the code from the notification that appears on-screen, or from another app such as a messaging app or an authentication-key generator like Authy. Apple’s new feature is designed to make things easier by allowing users to enter the code with a single tap; however, it could introduce a new point of weakness as far as user security is concerned.
Furthermore, if the user has set up their SMS to synchronize with their iPhone and their MacBook or iMac, the text message forwarding feature will support the AutoFill feature as well.
The objective of making new technology, especially technology that improves user security, more accessible, and therefore increasing user adoption rates, is nothing new. However, it is inevitable that in automating these processes and making them simpler for the average user to execute, there is a necessary trade-off in the security benefits provided.
One of the most basic rules of cybersecurity is that when a change is made to one part of a system, it’s effect on the rest of the system needs to be evaluated. However, in the case of the Security Code AutoFill feature introduced in iOS 12, it must be stated that the feature negates some of the security benefits of using OTPs and transaction authentication numbers (TAN).
The purpose of transaction authentication is to verify the authenticity of the user’s actions, not just the identity of the user. 2FA was initially used for online banking, to comply with the EU’s Revised Payment Services Directive (PSD2) and was intended to protect users from sophisticated cyber-attacks.
There are many ways that transaction authentication can take, but in the one we are concerned, when a user attempts to perform a transaction on their online banking, the bank will send them an SMS which summarizes the transaction data and attach a TAN. The user then checks that all the transaction details are correct and, assuming they agree that the transaction is legitimate, they enter the TAN into their banking app or webpage.
Given how easy SMS messages are to spook, it is not that hard to craft an SMS that appears to come from a particular number, many cybersecurity professionals have cautioned against their use as part of 2FA systems.
The issue with Apple’s AutoFill feature is that the user is no longer required to open and read the SMS message in full. This means that they will skip the process of verifying the details of the transaction and will instead extract the TAN which will authorize the transaction.
The security benefit of the second step of the 2FA system relies upon the user checking the transaction details, and only entering the TAN if they are satisfied that the transaction is correct and genuine. By removing this step, AutoFill all but completely negates the security benefits that 2FA provides and could create the illusion to the user that their transactions are more secure than they are.