172

Brief Summary
Autofill one-time SMS passcodes sent to iMessage similarly to how Safari does that.

Details:
Basically, nothing special. In the screenshot below I show an example of how this feature works at google.com using Safari. I have iMessage synced on my Macbook. Afaik that is pretty old feature.

Image/Video:

Merged 2 posts from Add support for one-time SMS passcode autofill..
    24 days later

    I did a small amount of reading what 2fhey does. They poll the file "/Library/Messages/chat.db"1 in the home folder and read the changes. It is an sqlite database file which requires full disk access permission to read. When new messages are found they filter out any that are not OTP. For the filtering they use specific message tests2 to determine what the code is and the service the code belongs to3.

    [1] https://github.com/SoFriendly/2fhey/blob/main/TwoFHey/DataManagement/MessageManager.swift#L47
    [2] https://github.com/SoFriendly/2fhey/blob/main/TwoFHey/OTPParser/OTPParserContants.swift#L9
    [3] https://github.com/SoFriendly/2fhey/blob/main/TwoFHey/OTPParser/OTPParser.swift#L124

    Possibly relevant side note: there is some talk online about newer (macOS 13) message content data being encoded as a plist rather than plaintext. I do not know if that applies to SMS messages or not.

    • Vlad replied to this.

      running-catastrophe Thanks for digging deeper into this. How would this work in Orion and at what time you imagine Orion would ask for full access permissions?

          23 days later

          Vlad I would suggest showing a prompt explaining the need for the full disk access when the user puts a focus on a text input having the autocomplete="one-time-code" attribute. If user declines, it still should be accessible from the "Passwords" tab in Settings. Maybe a checkbox "Autofill one-time passwords from Messages", which shows the same prompt for the full disk access when clicked. A good UX would be first explaining the need with Accept/Decline, and only on Accept the system permission window should appear.

              eugenef The issue with this is asking full disk permissions even though the auth mechanism itself may not even use SMS at all and some users may freak out? Please laso provide the full text of the proposed message.

                  [1] https://developer.apple.com/documentation/security/password_autofill
                  [2] https://developer.apple.com/documentation/security/password_autofill/about_the_password_autofill_workflow

                  Not sure whether that's 100% relevant, but could be a starting point?

                  Quoting from [2]:

                  Security code. If the system can parse a security code from an SMS message, the QuickType bar shows the code for up to three minutes after it has been received. If a security code arrives while the text input view is selected, the system pushes the incoming code to the QuickType bar.
                  To test the format of your SMS code for different languages, text a message to yourself. If you receive a message with an underlined security code, tap on the code. If a Copy Code option appears, the system has recognized your code.

                  Doesn't sound too far off, does it?

                    6 days later
                    ForumNinja404 changed the title to Retrieve 2FA codes from messages when signing in .

                      here's another option meanwhile this gets implemented into orion:

                      1. use raycast as your spotlight replacement
                      2. customize a hotkey to quickly retrieve the 2fa messages using the 2fa message retriever extensions which would make it almost similar to 1pw's cmd + '\' for "universal auto-fill".
                      7 days later

                      For those who want this feature asap, as soon as Sonoma launches the icloud password extesnions should be able to handle that.

                      • Vlad replied to this.

                        why does my account show as deleted?

                        • eirk replied to this.

                          orionnewb reload the page, something cached incorrectly. that comment shows up fine for me

                              Tinholoco This extension now works in Orion RC,we'd aprpeciate feedback

                                  Vlad Maybe something like that?

                                  Title: Access Messages to AutoFill 2FA

                                  Text: Orion offers enhanced functionality to automatically scan your SMS messages for 2FA codes. To enable this feature, you'll need to grant Full Disk Access. With this permission, Orion can retrieve one-time passwords from your Messages app for AutoFill. Would you like to authorize Full Disk Access?

                                  [ Grant Access ] [ Not Now ]

                                  If user agrees, show them an alert with instructions how to do that (as other apps do) and two other buttons:

                                  [ Go to System Settings ] [ Not Now ]

                                  Please also check this convenience wrapper for requesting macOS permissions:
                                  https://github.com/MacPaw/PermissionsKit

                                      Vlad In my opinion, it would be great to show this the first time when the user puts a focus on a text input having the autocomplete="one-time-code" attribute. If declined, there should be another alert:

                                      You can always turn this feature on in Orion settings.

                                      [ OK ]

                                      In the "Passwords" tab in Settings there should be a checkbox or an on/off indicator named "Autofill one-time passwords from Messages". When no Full Disk Access is granted, clicking it would show the same prompt explaining the need for the full disk access. When already having Full Disk Access, it should be turned on showing that AutoFill SMS 2FA is up and running.