iOS 14 adds domain-bound codes to make SMS one-time passcodes more secure


Earlier this year, Apple’s WebKit team proposed a change to the format of SMS one-time passcodes to make two-factor authentication more secure. Apple confirmed today that developers can already implement these changes with iOS 14 and macOS Big Sur.

With iOS 12, Apple has allowed websites and apps that require two-factor authentication to auto-fill codes sent via SMS. And now, the company is making this process even easier and secure by implementing something they call “domain-bound code.”

Additionally, starting with iOS 14 and macOS Big Sur, we’re adding an extra layer of security to SMS-delivered codes by allowing you to associate codes with a specific web domain.

Apple explains that domain-bound code allows iOS and macOS to suggest auto-filling the two-step authentication code only if the domain is a match for the website or one of your app’s associated domains.

Let’s say you get a code associated with the “” domain. With iOS 14 and macOS Big Sur, this code can only be accessed by the official Twitter app or website. According to Apple, this change makes it harder for hackers to trick users with malicious websites asking for two-factor authentication codes.

For example, if you receive an SMS message that ends with #123456, AutoFill will offer to fill that code when they interact with, any of its subdomains, or an app associated with If instead you receive an SMS message that ends with #123456, AutoFill will not offer the code on or in’s associated app.

Apple has shared an article with the documentation developers need to implement SMS domain-bound codes in apps and websites. While regular two-factor authentication codes will continue to work, the company recommends that developers update the codes to the new standard.

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:

[embedded content]



Please enter your comment!
Please enter your name here