Phishing Resistant SMS Autofill

Support for the origin-bound draft standard for SMS security codes has been implemented to enhance phishing resistance by associating security codes with the sending site's origin. This standard ensures that autofill features can accurately parse security codes without relying on heuristics, which previously left them vulnerable to phishing attacks. The new format includes a footer in the SMS message that indicates the sender's origin, enabling browsers to autofill security codes only on legitimate sites. Apple's proprietary implementation in iOS 14 and macOS Big Sur supports this standard, with Google proposing the Web OTP API for broader adoption. Despite its vulnerabilities, SMS remains effective against common attacks, balancing security and usability. GitHub supports SMS due to its accessibility and is exploring emerging standards like WebAuthn, which promises improved security and usability. The origin-bound standard represents a simple yet significant step toward enhancing SMS security with minimal investment.