506781—the two-factor authentication code needed to access my Dropbox account on November 15, 2015. I know because it’s still there in my SMS history, a permanent record of my accessing Dropbox from new devices. I have full iCloud history in much the same way—332486 was the code on October 4, 2014. I can see the same for Microsoft, Uber, Sony… You get the point.
As I’ve written before, SMS messaging is best avoided—it’s an archaic and unsecured platform with no place among the myriad end-to-end encrypted alternatives we can now use. If you want to message family, friends, colleagues, then skip SMS and use iMessage (blue bubbles only), WhatsApp, Signal, Telegram (albeit its encryption is more complex than the others). And while you may consider your private messages to be of little interest to others, you still seal envelopes despite trusting the postal services and dismissing the risk of your letters being read.
But, somewhat ironically, SMS has become the de facto choice for the one-time codes used as the two-factor authentication (2FA) security for most of the major tech platforms we all use. New Apple or Google logins, Office 365, Dropbox, your bank transactions, WhatsApp, Twitter… and while most offer more secure 2FA options, nothing beats the convenience of a time-boxed six-digit code sent to your phone.
Despite strongly advocating everyone to shift from SMS or other messengers that don’t end-to-end encrypt traffic, the likes of Facebook Messenger, Instagram and Twitter, for example, I don’t have too much of a problem with SMS used for 2FA. On the basis that you MUST never share a code sent by SMS to your phone, even if asked by someone that seems to be a friend or colleague, stealing 2FA codes is fairly rare. It does happen and there have been law enforcement warnings to take care, but SMS 2FA is exponentially safer than no 2FA at all.
And so as we shift from SMS to WhatsApp and other “over-the-top” messengers, those one-time codes remain—especially as our phones prompt us to enter those codes into websites and apps without having to open our SMS messengers. But Google is now doing something about this with its latest Android Messages update—and it’s about time. This is a brilliant new trick and Apple should take note.
Discovered by the team at XDA-Developers, Google “is working on a feature that will automatically delete OTP [one-time password] messages after 24 hours from their receipt… OTPs by very nature are temporary in nature, with most of them being valid for a short time duration of ten minutes or so, depending on the needs of the service… Users may also not always remember deleting these messages once they are done, so automatically deleting them after a day seems to be a useful addition.”
Apple does allow users to filter known and unknown senders into separate lists in iMessage, and it does a pretty good job of separating all the SMS notifications received from business promotions, expiring parking sessions, delivery updates and OTP codes from friends and family messages. Although the Dropbox OTP thread does seem to have made in into my iMessage “Known Sender” list. Apple clearly knows something I don’t.
These one-time codes will become ever more prevalent as we are encouraged to activate 2FA for all the services we use—it’s an absolute must and you should always select it where it’s an option. But it is absolutely pointless to keep those OTPs and irritating to go back into your SMS messages to delete them when they’ve arrived, especially as you’ll usually use the prompt or the lock screen preview instead of the message itself. What we need is a fast game of catch-up from Apple here to deploy this stupidly simple improvement for itself.