We still need a link to any documentation that would allow su to do this (likely not a public feature)
172
Retrieve 2FA codes from messages when signing in
I wish I could be more help. I'll poke around when I get a chance to see if any searching comes up with anything. I'm just a C# guy who's never done much work for the Apple ecosystem.
a month later
Is It possible to add autofill verification code form messages?
Merged 1 post from Auto Full Verification code from text.
3 months later
- Edited
Found a WWDC presentation about this feature here. I'm not sure if this can be of any help to implement this feature on Orion. Honestly, this is a very beloved feature that I'm very much interested to be implemented. Password AutoFill starts at 7:27
kunaguvarun Does any other browser (Chrome/Edge/Firefox) have this feature?
- Edited
Not that I know of. However, I think that Android version of Google Chrome does automatically copy message codes to text fields on websites. Nevertheless an awesome feature to have it on Orion.
kunaguvarun It is because it is currently not possible.
Maybe but I'm not sure how Safari does it though. I think Google Chrome is also catching up on it especially on the Android version. I've not seen this done on desktop version by any player other than Safari.
- Edited
kunaguvarun Safari does it because it has direct access to SMSes. Apple does not make that available for 3rd party apps.
a month later
Text messages as an authentication method are not secure anyway. Sure it is very nice Safari/macOS functionality but the world will move forward towards PassKey etc. very soon.
3 months later
- Edited
Okay, do the world a favour and tell all the websites to stop using it.
What are you a blackhat researcher? Bah
Thanks for the reference it looks like this is indeed somehow possible.
Code for 2hey is here
https://github.com/SoFriendly/2fhey
a month later
Brief Summary
Autofill one-time SMS passcodes sent to iMessage similarly to how Safari does that.
Details:
Basically, nothing special. In the screenshot below I show an example of how this feature works at google.com using Safari. I have iMessage synced on my Macbook. Afaik that is pretty old feature.
Image/Video:
Merged 2 posts from Add support for one-time SMS passcode autofill..
24 days later
I did a small amount of reading what 2fhey does. They poll the file "/Library/Messages/chat.db"1 in the home folder and read the changes. It is an sqlite database file which requires full disk access permission to read. When new messages are found they filter out any that are not OTP. For the filtering they use specific message tests2 to determine what the code is and the service the code belongs to3.
[1] https://github.com/SoFriendly/2fhey/blob/main/TwoFHey/DataManagement/MessageManager.swift#L47
[2] https://github.com/SoFriendly/2fhey/blob/main/TwoFHey/OTPParser/OTPParserContants.swift#L9
[3] https://github.com/SoFriendly/2fhey/blob/main/TwoFHey/OTPParser/OTPParser.swift#L124
Possibly relevant side note: there is some talk online about newer (macOS 13) message content data being encoded as a plist rather than plaintext. I do not know if that applies to SMS messages or not.
- Edited
running-catastrophe Thanks for digging deeper into this. How would this work in Orion and at what time you imagine Orion would ask for full access permissions?
23 days later
Vlad I would suggest showing a prompt explaining the need for the full disk access when the user puts a focus on a text input having the autocomplete="one-time-code" attribute. If user declines, it still should be accessible from the "Passwords" tab in Settings. Maybe a checkbox "Autofill one-time passwords from Messages", which shows the same prompt for the full disk access when clicked. A good UX would be first explaining the need with Accept/Decline, and only on Accept the system permission window should appear.