Add support for auto filling one time passwords generated by a third party application

Originator:blesserx
Number:rdar://41123134 Date Originated:14-Jun-2018 09:18 PM
Status:Duplicated/40890518 (Open) Resolved:
Product:iOS + SDK Product Version:12
Classification:Security Reproducible:Always
 
Summary:
This is a duplicate of radar #40890518

Hi there!

The new AuthenticationService [1] in iOS 12 allows for supplying usernames and passwords to the system, which in turn can then be auto filled by the system into the login form that is currently displayed to the user. In addition, iOS 12 allows to auto fill one time passwords send to the user via SMS.

However, there are a lot of services which do not send one time passwords via SMS (like Google, Dropbox, Microsoft, Amazon, ...). Instead they use a third party app for generating these one time passwords for the user. These apps generate the code using two RFC standards:
* RFC 4226: https://tools.ietf.org/html/rfc4226
* RFC 6238: https://tools.ietf.org/html/rfc6238
Examples for such applications are Google Authenticator [2], OTP Auth [3] and Authy [4].

Now my suggestion: Why not allow these one time password applications ([2], [3], [4], ...) to supply the one time password to the system? Why is the one time password auto fill restricted to codes sent via SMS?

Best regards,
Roland

[1]: https://developer.apple.com/documentation/authenticationservices
[2]: https://itunes.apple.com/de/app/google-authenticator/id388497605?mt=8
[3]: https://itunes.apple.com/us/app/otp-auth/id659877384?mt=8
[4]: https://itunes.apple.com/de/app/authy/id494168017?mt=8


Steps to Reproduce:
 

Expected Results:
 

Actual Results:
 

Version:
12

Notes:

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!