Apple Upgrades Autofill Feature to Block Phishing Attacks
Apple’s autofill feature is a convenient way to enter saved passwords and 2FA codes immediately. However, bad actors have taken advantage of the feature, tricking users into autofilling 2FA codes on malicious websites. Luckily, Apple is now blocking this type of activity.
When you are asked to enter a 2FA code on iPhone, and that code is sent to you via SMS, your iPhone can suggest to autofill that code without you needing to type anything at all. That normally works great, but, as stated above, bad actors have figured out a workaround. They’ll send you a link that looks legitimate, but is actually a phishing site; they rely on you not being able to tell the difference between their site and the official one, so you autofill your 2FA SMS code straight into their hands.
Now, Apple is switching gears; now, 2FA codes will only autofill if the domains match. That means if the 2FA code is for meritsolutions.net, but the website you’re on is merit.login.com, the autofill option won’t appear. That should be enough of a red flag for you to reevaluate whether the site you’re trying to log into is legitimate or not.
Of course, SMS-based 2FA is not the most secure method; if websites offer 2FA or MFA through an authenticator app or a trusted device, use those options when available. However, for the times we need to use 2FA via SMS, this change will help protect us from phishing attacks.