Retrieve 2FA codes from messages when signing in

kunaguvarun It is because it is currently not possible.

Maybe but I'm not sure how Safari does it though. I think Google Chrome is also catching up on it especially on the Android version. I've not seen this done on desktop version by any player other than Safari.

Text messages as an authentication method are not secure anyway. Sure it is very nice Safari/macOS functionality but the world will move forward towards PassKey etc. very soon.

I use 2fhey.com to get this functionality system-wide.

Thanks for the reference it looks like this is indeed somehow possible.

Code for 2hey is here
https://github.com/SoFriendly/2fhey

Brief Summary
Autofill one-time SMS passcodes sent to iMessage similarly to how Safari does that.

Details:
Basically, nothing special. In the screenshot below I show an example of how this feature works at google.com using Safari. I have iMessage synced on my Macbook. Afaik that is pretty old feature.

Image/Video:

I did a small amount of reading what 2fhey does. They poll the file "/Library/Messages/chat.db"¹ in the home folder and read the changes. It is an sqlite database file which requires full disk access permission to read. When new messages are found they filter out any that are not OTP. For the filtering they use specific message tests² to determine what the code is and the service the code belongs to³.

[1] https://github.com/SoFriendly/2fhey/blob/main/TwoFHey/DataManagement/MessageManager.swift#L47
[2] https://github.com/SoFriendly/2fhey/blob/main/TwoFHey/OTPParser/OTPParserContants.swift#L9
[3] https://github.com/SoFriendly/2fhey/blob/main/TwoFHey/OTPParser/OTPParser.swift#L124

Possibly relevant side note: there is some talk online about newer (macOS 13) message content data being encoded as a plist rather than plaintext. I do not know if that applies to SMS messages or not.

Vlad I would suggest showing a prompt explaining the need for the full disk access when the user puts a focus on a text input having the autocomplete="one-time-code" attribute. If user declines, it still should be accessible from the "Passwords" tab in Settings. Maybe a checkbox "Autofill one-time passwords from Messages", which shows the same prompt for the full disk access when clicked. A good UX would be first explaining the need with Accept/Decline, and only on Accept the system permission window should appear.

[1] https://developer.apple.com/documentation/security/password_autofill
[2] https://developer.apple.com/documentation/security/password_autofill/about_the_password_autofill_workflow

Not sure whether that's 100% relevant, but could be a starting point?

Quoting from [2]:

Security code. If the system can parse a security code from an SMS message, the QuickType bar shows the code for up to three minutes after it has been received. If a security code arrives while the text input view is selected, the system pushes the incoming code to the QuickType bar.
To test the format of your SMS code for different languages, text a message to yourself. If you receive a message with an underlined security code, tap on the code. If a Copy Code option appears, the system has recognized your code.

Doesn't sound too far off, does it?

here's another option meanwhile this gets implemented into orion:

1. use raycast as your spotlight replacement
2. customize a hotkey to quickly retrieve the 2fa messages using the 2fa message retriever extensions which would make it almost similar to 1pw's cmd + '\' for "universal auto-fill".

Orion could use the code from that as inspiration