Update: Will Strafach has some doubts about Gutmann’s thoughts:
With iOS 12 and macOS Mojave, Apple has introduced a new security code auto-fill feature that makes managing two-factor authentication codes sent via SMS easier to manage. A security researcher, however, has published a new piece detailing some potential fraud concerns with the feature..
respectfully, the author of this post does not fully understand the feature. they are incorrect.
would be happy to be proven wrong with a PoC of some new vuln I do not know about though. https://t.co/twDi2CdaBl
— Will Strafach (@chronic) July 4, 2018
In our initial coverage of the feature, we noted that SMS two-factor isn’t the most secure form of two-factor authentication. Now, Andreas Gutmann, a researcher at OneSpan’s Cambridge Innovation Centre, dives deeper into the security concerns that come with Apple’s new auto-fill feature.
The human validation process, Gutmann explains, is an important aspect of two-factor authentication. Without it, a user could be more susceptible to “man-in-the-middle, phishing, or other social engineering attacks.”
Gutmann goes on to write that the feature could spell trouble for transaction authentication in relation to banking:
The full piece is definitely worth a read and can be found here.
The fact that a user verifies this salient information is precisely what provides the security benefit. Removing that from the process renders it ineffective. Examples in which Security Code AutoFill could pose a risk to online banking security include a Man-in-the-Middle attack on the user accessing online banking from Safari on their MacBook, injecting the required input field tag if necessary, or where a malicious website or app accesses the bank’s legitimate online banking service.