A new feature for iPhones in iOS 12 – Security Code AutoFill – is supposed to improve the usability of Two Factor Authentication but could place users at risk of falling victim to online banking fraud.
Two Factor Authentication (2FA), which is often referred to as Two Step Verification, is an essential element for many security systems, especially those online and accessed remotely. In most cases, it provides extended security by checking if the user has access to a device. In SMS-based 2FA, for example, a user registers their phone number with an online service. When this service sees a login attempt for the corresponding user account, it sends a One Time Password (OTP), e.g. four to six digits, to the registered phone number. The legitimate user then receives this code and is able to quote it during the login process, but an impersonator won’t.
In a recent development by Apple, announced at its developer conference WWDC18, they are set to automate this last step to improve user experience with 2FA with a new feature that is set to be introduced to iOS in version 12. The Security Code AutoFill feature, currently available to developers in a beta version, will allow the mobile device to scan incoming SMS messages for such codes and suggest them at the top of the default keyboard.
Currently, these SMS codes rely on the user actively switching apps and memorising the code, which can take a couple of seconds. Some users deploy alternative try strategies such as memorising the code from the preview banner and hastily typing it down. Apple’s new iOS feature will require only a single tap from the user. This will make the login process faster and less error prone, a significant improvement to the usability of 2FA. It could also translate into an increased uptake of 2FA among iPhone users.
If users synchronise SMS with their MacBook or iMac, the existing Text Message Forwarding feature will push codes from their iPhone and enable Security Code AutoFill in Safari.
Reducing friction in user interaction to improve technology uptake for new users, and increase the usability and satisfaction for existing users, is not a new concept. It has not only been discussed in academia at length but is also a common goal within industry, e.g. in banking. This is evident in how the financial and payment industry has encouraged contactless (Near Field Communication – NFC) payments, which makes transactions below a certain threshold much quicker than traditional Chip and PIN payments.
As architects and designers, especially in computer security, we know that when making changes to one part of a system, we need to evaluate how this affects every other part that it interacts with. In the case of the upcoming Security Code AutoFill feature in iOS 12, this not only includes 2FA but also Transaction Authentication Numbers (TANs).
Transaction authentication, as opposed to user authentication, is used to attest the correctness of the intention of an action rather than just the identity of a user. It is most widely known from online banking, where it is an essential tool to defend against sophisticated attacks. For example, an adversary can try to trick a victim into transferring money to a different account than the one intended. To achieve this the adversary might use social engineering techniques such as phishing and vishing and/or tools such as Man-in-the-Browser malware.
Transaction authentication is used to defend against these adversaries. Different methods exist but in the one of relevance here – which is among the most common methods currently used – the bank will summarise the salient information of any transaction request, augment this summary with a TAN tailored to that information, and send this data to the registered phone number via SMS. The user, or bank customer in this case, should verify the summary and, if this summary matches with his or her intentions, copy the TAN from the SMS message into the webpage.
SMS based OTP, whether used for 2FA or transaction authentication, has been criticised for not being the most secure choice of technology. For example, in recent years the National Institute of Standards and Technology (NIST) initially publicly criticised SMS as a communication medium for secure authentication, labelling it as insecure and unsuitable for strong authentication. However more recently, they have softened their language and instead deprecated SMS 2FA. Yet, it’s still considered secure enough to be used for Strong Customer Authentication under the new EU Payment Service Directive 2.
This new iOS feature creates problems for the use of SMS in transaction authentication. Applied to 2FA, the user would no longer need to open and read the SMS from which the code has already been conveniently extracted and presented. The code is detected in a message based on heuristics such as proximity to the words ‘code’ or ‘passcode’, which are used in messages delivering 2FA codes and TANs alike. Security Code AutoFill on a webpage or in an app is then suggested if the input field is tagged accordingly.
Unless this feature can reliably distinguish between OTPs in 2FA and TANs in transaction authentication, we can expect that users will also have their TANs extracted and presented without context of the salient information, e.g. amount and destination of the transaction. Yet, precisely the verification of this salient information is essential for security. Examples in which Security Code AutoFill could pose a risk to online banking security include a Man-in-the-Middle attack on the user accessing online banking from Safari on their MacBook, injecting the required input field tag if necessary, or where a malicious website or app accesses the bank’s legitimate online banking service.
Even if the new Security Code AutoFill feature can distinguish between those SMS messages, users will inevitably get used to the convenience of this functionality. They might, very reasonably, expect similar convenience from other security technologies, not realising that this can be unrealistic. This can, in turn, discourage the uptake of more secure technologies, such as dedicated hardware tokens in transaction authentication.
We are excited about the anticipated improved usability of 2FA and hope that it will encourage more iOS users to adopt 2FA. But as a socio-technical environment, we can hardly predict the future. SMS based transaction authentication might well remain an established technology in online banking, with banks holding customers liable if they do not verify the transaction information. Whether it is justified to place the burden on users who behave as encouraged by the technology is both a philosophical and legal question.
At OneSpan and University College London, we are currently investigating the interaction between usability, friction, and security of transaction authentication. This project is focused on how misconceptions can be linked to security properties. We evaluate state-of-the-art technologies and investigate potential improvements. This project is funded by the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No 675730.
Update (2018-06-13): After a discussion with Vincent Haupert in the comments, I’ve updated the article with more information how Secure Code AutoFill could be utilised in an attack, added references to Apple’s developer conference WWDC18, and updated the embedded pictures.