WICG/sms-one-time-codes WICG/sms-one-time-codes

  • Stars
    star
    111
  • Rank 314,510 (Top 7 %)
  • Language Makefile
  • License
    Other
  • Created over 4 years ago
  • Updated about 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
WICG/sms-one-time-codes
github

WICG

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A way to format SMS messages for use with browser autofill features such as HTML’s autocomplete=one-time-code.

Explainer: Origin-bound one-time codes delivered via SMS

Table of Contents

Introduction

Many websites make use of one-time codes for authentication.

SMS is a popular mechanism for delivering such codes to users, but using SMS to deliver one-time codes can be risky.

This proposal attempts to reduce some of the risks associated with SMS delivery of one-time codes. It does not attempt to reduce or solve all of them. For instance, it doesn't solve the SMS delivery hijacking risk, but it does attempt to reduce the phishing risk.

Deficiencies of the status quo

Suppose a user receives the message "747723 is your ExampleCo authentication code." It's possible, even likely, that 747723 is a one-time code for use on https://example.com. But because there is no standard text format for SMS delivery of one-time codes, systems which want to make programmatic use of such codes must rely on heuristics, both to locate the code in the message and to associate the code with a website. Heuristics are prone to failure and may even be hazardous.

End users shouldn't have to manually copy-and-paste one-time codes from SMSes to their browser, and codes sent by a site should only be provided to the actual site which sent it.

Goals

The goals of this proposal are to

  1. eliminate the need to rely on heuristics for programmatic extraction of one-time codes from SMS messages, and to
  2. reliably associate one-time codes intended for use on a specific website with that site.

Non-goals

This proposal does not set out to

  1. expose the contents of arbitrary SMS messages to websites, or to
  2. restrict the sources from which browsers may source one-time codes for providing them to websites.

Proposal

To address this, we propose a lightweight text format that services may use for delivering one-time codes over SMS. The format associates the code with the website's origin. We call such codes origin-bound one-time codes, and we call such messages origin-bound one-time code messages.

The message format is about as simple as it gets. Messages begin with (optional) human-readable text. The last line of the message contains the origin and the code, with the prefix characters "@" and "#" denoting which is which. Here's an example:

747723 is your ExampleCo authentication code.
    
@example.com #747723

In this example,

  • "https://example.com" is the origin the code is associated with,
  • "747723" is the code, and
  • "747723 is your ExampleCo authentication code.\n\n" is human-readable explanatory text.

The characters "@" and "#" identify the origin and the code, respectively. (We can always introduce additional prefix characters in the future if it turns out we need to include additional information in these messages.)

Some sites use third-party iframes for authentication. In such cases, the third-party iframe's origin can be specified using the same "@" field after the code.

747723 is your ExampleCo authentication code.

@example.com #747723 @ecommerce.example

In this example,

  • "https://example.com" is the origin the code is associated with,
  • "747723" is the code,
  • "https://ecommerce.example" is the origin of the third-party iframe, and
  • "747723 is your ExampleCo authentication code.\n\n" is human-readable explanatory text.

Benefits

Adoption of this format would improve the reliability of systems which today heuristically extract one-time codes from SMS, with clear end-user benefit. It improves reliability of both extracting the code and also associating that code with an origin.

Adoption of this proposal could improve the number of services on which a browser can offer assistance with providing SMS one-time codes to websites (e.g. an AutoFill feature), and could reduce the odds users would enter one-time codes delivered over SMS on sites other than the originating one.

Alternative approaches

No special syntax (status quo)

We believe the status quo provides insufficient programmability (because it relies on heuristics) and, in particular, many typical SMS one-time code message formats in the wild lack reliable origin information.

Stakeholder Feedback

Acknowledgements

Many thanks to Aaron Parecki, Eric Shepherd, Eryn Wells, Jay Mulani, Paul Knight, Ricky Mondello, and Steven Soneff for their valuable feedback on this proposal.

More Repositories

1

webcomponents

Web Components specifications
HTML
4,360
star
2

import-maps

How to control the behavior of JavaScript imports
JavaScript
2,705
star
3

virtual-scroller

1,998
star
4

focus-visible

Polyfill for `:focus-visible`
JavaScript
1,607
star
5

webusb

Connecting hardware to the web.
Bikeshed
1,310
star
6

webpackage

Web packaging format
Go
1,231
star
7

EventListenerOptions

An extension to the DOM event pattern to allow authors to disable support for preventDefault
JavaScript
1,166
star
8

portals

A proposal for enabling seamless navigations between sites or pages
HTML
946
star
9

floc

This proposal has been replaced by the Topics API.
Makefile
934
star
10

inert

Polyfill for the inert attribute and property.
JavaScript
920
star
11

scheduling-apis

APIs for scheduling and controlling prioritized tasks.
HTML
909
star
12

view-transitions

811
star
13

file-system-access

Expose the file system on the user’s device, so Web apps can interoperate with the user’s native applications.
Bikeshed
658
star
14

background-sync

A design and spec for ServiceWorker-based background synchronization
HTML
639
star
15

ua-client-hints

Wouldn't it be nice if `User-Agent` was a (set of) client hints?
Bikeshed
590
star
16

scroll-to-text-fragment

Proposal to allow specifying a text snippet in a URL fragment
HTML
586
star
17

observable

Observable API proposal
Bikeshed
582
star
18

aom

Accessibility Object Model
HTML
567
star
19

kv-storage

[On hold] A proposal for an async key/value storage API for the web
550
star
20

turtledove

TURTLEDOVE
Bikeshed
526
star
21

navigation-api

The new navigation API provides a new interface for navigations and session history, with a focus on single-page application navigations.
Makefile
486
star
22

webmonetization

Proposed Web Monetization standard
HTML
461
star
23

trust-token-api

Trust Token API
Bikeshed
421
star
24

attribution-reporting-api

Attribution Reporting API
Bikeshed
360
star
25

direct-sockets

Direct Sockets API for the web platform
HTML
329
star
26

shape-detection-api

Detection of shapes (faces, QR codes) in images
Bikeshed
304
star
27

display-locking

A repository for the Display Locking spec
HTML
297
star
28

dbsc

Bikeshed
297
star
29

background-fetch

API proposal for background downloading/uploading
Shell
281
star
30

first-party-sets

Bikeshed
280
star
31

serial

Serial ports API for the platform.
HTML
256
star
32

resize-observer

This repository is no longer active. ResizeObserver has moved out of WICG into
HTML
255
star
33

priority-hints

A browser API to enable developers signal the priorities of the resources they need to download.
Bikeshed
249
star
34

sanitizer-api

Bikeshed
227
star
35

is-input-pending

HTML
221
star
36

proposals

A home for well-formed proposed incubations for the web platform. All proposals welcome.
216
star
37

spatial-navigation

Directional focus navigation with arrow keys
JavaScript
212
star
38

js-self-profiling

Proposal for a programmable JS profiling API for collecting JS profiles from real end-user environments
HTML
197
star
39

cq-usecases

Use cases and requirements for standardizing element queries.
HTML
184
star
40

isolated-web-apps

Repository for explainers and other documents related to the Isolated Web Apps proposal.
Bikeshed
182
star
41

visual-viewport

A proposal to add explicit APIs to the Web for querying and setting the visual viewport
HTML
177
star
42

interventions

A place for browsers and web developers to collaborate on user agent interventions.
176
star
43

frame-timing

Frame Timing API
HTML
170
star
44

layout-instability

A proposal for a Layout Instability specification
Makefile
158
star
45

page-lifecycle

Lifecycle API to support system initiated discarding and freezing
HTML
154
star
46

nav-speculation

Proposal to enable privacy-enhanced preloading
HTML
154
star
47

speech-api

Web Speech API
Bikeshed
145
star
48

cookie-store

Asynchronous access to cookies from JavaScript
Bikeshed
143
star
49

construct-stylesheets

API for constructing CSS stylesheet objects
Bikeshed
137
star
50

webhid

Web API for accessing Human Interface Devices (HID)
HTML
137
star
51

color-api

A proposal and draft spec for a Color object for the Web Platform, loosely influenced by the Color.js work. Heavily WIP, if you landed here randomly, please move along.
HTML
132
star
52

fenced-frame

Proposal for a strong boundary between a page and its embedded content
Bikeshed
126
star
53

devtools-protocol

DevTools Protocol
JavaScript
120
star
54

bundle-preloading

Bundles of multiple resources, to improve loading JS and the Web.
HTML
105
star
55

translation-api

A proposal for translator and language detector APIs
Bikeshed
104
star
56

privacy-preserving-ads

Privacy-Preserving Ads
HCL
100
star
57

manifest-incubations

Before install prompt API for installing web applications
HTML
99
star
58

window-controls-overlay

HTML
97
star
59

netinfo

HTML
95
star
60

compression-dictionary-transport

94
star
61

intrinsicsize-attribute

Proposal to add an intrinsicsize attribute to media elements
93
star
62

animation-worklet

🚫 Old repository for AnimationWorklet specification ➡️ New repository: https://github.com/w3c/css-houdini-drafts
Makefile
92
star
63

container-queries

HTML
91
star
64

local-peer-to-peer

↔️ Proposal for local communication between browsers without the aid of a server.
Bikeshed
90
star
65

shared-storage

Explainer for proposed web platform Shared Storage API
Bikeshed
89
star
66

async-append

A way to create DOM and add it to the document without blocking the main thread.
HTML
87
star
67

indexed-db-observers

Prototyping and discussion around indexeddb observers.
WebIDL
84
star
68

canvas-formatted-text

HTML
82
star
69

file-handling

API for web applications to handle files
82
star
70

canvas-color-space

Proposed web platform feature to add color management, wide gamut and high bit-depth support to the <canvas> element.
79
star
71

local-font-access

Web API for enumerating fonts on the local system
Bikeshed
77
star
72

performance-measure-memory

performance.measureMemory API
HTML
77
star
73

digital-credentials

Digital Credentials, like driver's licenses
HTML
77
star
74

handwriting-recognition

Handwriting Recognition Web API Proposal
Bikeshed
75
star
75

web-app-launch

Web App Launch Handler
HTML
75
star
76

pwa-url-handler

72
star
77

ContentPerformancePolicy

A set of policies that a site guarantees to adhere to, browsers enforce, and embedders can count on.
HTML
72
star
78

starter-kit

A simple starter kit for incubations
JavaScript
72
star
79

css-parser-api

This is the repo where the CSS Houdini parser API will be worked on
HTML
71
star
80

close-watcher

A web API proposal for watching for close requests (e.g. Esc, Android back button, ...)
Makefile
71
star
81

eyedropper-api

HTML
69
star
82

idle-detection

A proposal for an idle detection and notification API for the web
Bikeshed
67
star
83

storage-foundation-api-explainer

Explainer showcasing a new web storage API, NativeIO
65
star
84

video-editing

65
star
85

uuid

UUID V4
63
star
86

client-hints-infrastructure

Specification for the Client Hints infrastructure - privacy preserving proactive content negotiation
Bikeshed
61
star
87

sparrow

60
star
88

private-network-access

HTML
58
star
89

element-timing

A proposal for an Element Timing specification.
Bikeshed
57
star
90

document-picture-in-picture

Bikeshed
56
star
91

video-rvfc

video.requestVideoFrameCallback() incubation
HTML
53
star
92

time-to-interactive

Repository for hosting TTI specification and discussions around it.
52
star
93

digital-goods

Bikeshed
50
star
94

soft-navigations

Heuristics to detect Single Page Apps soft navigations
Bikeshed
46
star
95

raw-clipboard-access

An explainer for the Raw Clipboard Access feature
44
star
96

storage-buckets

API proposal for managing multiple storage buckets
Bikeshed
43
star
97

pending-beacon

A better beaconing API
Bikeshed
43
star
98

admin

👋 Ask your questions here! 👋
HTML
42
star
99

web-smart-card

Repository for the Web Smart Card Explainer
HTML
42
star
100

web-preferences-api

The Web Preference API aims to provide a way for sites to override the value for a given user preference (e.g. color-scheme preference) in a way that fully integrates with existing Web APIs.
Bikeshed
41
star