Many websites and apps offer extra login security in the form of SMS-delivered codes. On iPhone, Security Code AutoFill makes it easy for people to quickly deliver these codes by offering them in the QuickType bar. On a Mac running macOS Big Sur, Mac Catalyst and AppKit apps can also take advantage of this feature.
In addition, with iOS 14 and macOS Big Sur, we add an extra layer of security to SMS-delivered codes by letting you link codes to a specific web domain.
This is how domain-bound codes work
When using a domain-bound code, AutoFill will suggest the code if ̵
@example.com #123456, AutoFill will offer to fill in that code when interacting with example.com, any of the subdomains, or an app associated with example.com. If you instead receive an SMS message that ends with
@example.net #123456, AutoFill will not offer the code on example.com or in example.com’s affiliate app. This makes it harder for an attacker to trick someone into entering one-time codes on a phishing site.
While iOS and macOS will also display standard SMS-delivered tags in addition to domain-bound tags, we encourage anyone using this authentication method to apply this standard to provide a more secure experience for people on your site or app. If a message does not contain any domain information, it will continue to be offered in all relevant fields through AutoFill.
How to set up SMS domain-bound codes
You can take advantage of domain-bound codes on both sites and apps with associated domains.
Set up domain-bound codes for your site
In most cases, AutoFill will work automatically on Safari for iOS and macOS Big Sur, and requires no additional information from you. In cases where it does not, you can add
autocomplete=one-time-code attribute of the site’s text field. This shows that Safari offers current codes in that field.
Set up domain-bound codes for your app
You can support domain-bound codes by specifying an associated domain for your app. If you support Universal Links for your domain, or if AutoFill is currently suggesting stored passwords for your domain in the login screens of your app, your app is already associated with your domain.
Learn more about affiliate domain support
Note: If you’re having trouble testing your app’s login feeds, you may need to provide an extra hint as to which fields in the app are one-time code fields. For iOS and Mac Catalyst apps, enter the field
textContentType property to
UITextContentType.oneTimeCode. For AppKit apps on macOS,
NSTextField have one
contentType property that you should enter
How to format SMS domain bound codes
Once your app or website is set up to receive domain-bound tags, you need to provide a simple addition to the text messages you send through your backend service to include both the domain and the code. This is what the text you send out looks like:
123456 is your Example code. @example.com #123456
Everything above the last line of the message is free. You are free to customize this part you want, but it should be something that makes sense to people who receive the code.
The last line of this message provides AutoFill on the iPhone, iPad, or Mac with the information it needs to link the domain and code together and suggest the code for that webpage or app.
For domain-bound codes to work properly, you must include this information in the last line of the message, and it must contain the domain and code in the correct order.
This is the first part of the last line, and contains the domain of the app or website where you want the code to be filled out. Be sure to place a single space after your domain before beginning the segment with a one-time code.
#123456 (represents the code 123456)
The second part of the last line begins with # and contains the string with the app or site’s one-time code.
Improve SMS-delivered codes
Domain-bound codes are easy for developers to implement, easy for people who use their apps and websites to understand, and provide more security to the SMS-delivered codes. You can also learn more about domain-bound codes and the development of the message format in W3C’s Web Platform Incubator Community Group.
Learn more about domain-bound codes
Allow apps and websites to link to your content