If you’ve noticed that Apple’s two-factor authentication texts include a lot more extra text than you’re used to, don’t worry – there’s a good reason for that. Like Macworld explain, Apple implemented a previously proposed system that uses domain-bound codes for logins. The extra tags (such as “@apple.com #123456 %apple.com”) are intended to improve the reliability of autocompleting text codes on platforms starting with iOS 14, iPadOS 14, and macOS Big Sur.
The technique theoretically discourages more sophisticated phishing attacks that attempt to intercept and redirect two-factor verification messages. If you’re using one of these newer operating systems, you’ll only get a code autocomplete suggestion if the domain of the website requesting a code matches the one in the text. A phishing site can’t just ask Apple for a code and expect an autocomplete prompt. If you don’t get an autocomplete prompt, there’s a good chance the site is fake.
Apple quietly began delivering code in the new format around November 2021. The concept isn’t necessarily limited to the Apple ecosystem, but it hasn’t been widely adopted elsewhere. Still, don’t be surprised if these lengthy 2FA texts become more common and potentially thwart some phishing campaigns.
All products recommended by Ploonge are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.