@samuelgoto @hober, what's the status of this incubation? Did it end up getting upstreamed to HTML or somewhere else or is the work still ongoing?

https://developer.apple.com/documentation/security/one-time_codes/enabling_autofill_for_domain-bound_sms_codes says that the embedded domain is introduced with %. https://wicg.github.io/sms-one-time-codes/#format says it's introduced with @. Which is it?

The Protocol and port number are hard-coded in the specification. Was this done on purpose?

OTP codes have two common use cases:

1. Verifying the identity of a user that contacts the support team (phone / chat)
2. Verifying the identity of a user logging in / performing step-up authentication on a system

Malicious actors very commonly get in touch with an end-user under the guise of being a legitimate support team member and ask the end-user to provide the OTP code that they just sent. Appending the following text will serve as a mitigation to users falling for this attack vector:

1. "ExampleCo staff will ask for this code"
2. "ExampleCo staff will NOT ask for this code"

I think it would be useful to allow a service that wants to send domain-bound codes to be able to opt into a stricter matching mechanism. Common examples that come to mind are hosting services or blog services that have user login on their TLD-plus-one and serve user content from subdomains. For example, Example Hosting Service has a login form on example.com and serves userA's content from userA.example.com.

Under our current matching scheme a code sent as @example.com #123456 would match example.com and userA.example.com since they're "same site" with each other. We should give these sites a way to express that they only want to match with example.com and no subdomains with a minimal amount of extra syntax. I think a natural extension of what we have so far is to use two @ signs as the field sigil. So, an SMS that reads @@example.com #123456 would match only example.com.

• Publish sms-one-time-codes explainer and spec
• Add sms-one-time-codes to WICG's biblio.json
  • Wait for this to propagate to https://github.com/tobie/specref/blob/master/refs/wicg.json
  • Wait for this to propagate to https://github.com/tabatkins/bikeshed-data biblio
  • Get one of Fantasai, Peter, or Tab to update https://github.com/tabatkins/bikeshed-data anchors
• Update WebOTP to cite sms-one-time-codes
• Drop the old explainer from webkit/explainers
• Transfer or resolve related issues filed in webkit/explainers
  • WebKit/explainers#8
  • WebKit/explainers#11
  • WebKit/explainers#25
  • WebKit/explainers#28
• Transfer or resolve related issues filed in WICG/WebOTP
  • WICG/web-otp#5
  • WICG/web-otp#15

The current parsing algorithm accepts any character between '@' and space to be the host part of the origin.

However per URL spec host cannot contain certain characters:
"A forbidden host code point is U+0000 NULL, U+0009 TAB, U+000A LF, U+000D CR, U+0020 SPACE, U+0023 (#), U+0025 (%), U+002F (/), U+003A (:), U+003C (<), U+003E (>), U+003F (?), U+0040 (@), U+005B ([), U+005C (), U+005D (]), or U+005E (^)."

I think it makes sense to verify the captured host is valid before accepting it.

IMHO the current parsing logic is a bit too strict when handling the space between host and code:

1. It requires exactly one SPACE
2. It requires SPACE and not a more general whitespace which includes TAB as well.

I suggest we relax these two requirements.

A secondary but somewhat related concern the parsing logic in some places uses ASCII whitespace and in some place uses SPACE. I think it would be much easier to have a single concept of white space that we use in the whole parsing algorithm.

This could be either:

• ASCII whitespace: which includes U+0009 TAB, U+000A LF, U+000C FF, U+000D CR, or U+0020 SPACE. One concern is that it includes LF and CR which are not relevant given that parsing is happening on a single line.
• Custom define white space for this spec to just be: U+0020 SPACE + U+0009 TAB

Currently the origin-bound one-time code messages can optionally begin with human-readable explanatory text. When such text is in place, the origin-bound one-time code must be on a new line (last line). The benefits are obvious (easy to distinguish from explanatory text, easy to parse etc.)

Problem
We found that the newline character from SMS is not very reliable. e.g. it may get translated into whitespace by SMS carriers / aggregators due to different encoding. We have seen several partners encountering this issue with the WebOTP API and we suppose Safari may have similar observation. In addition, many partners prefer not to use newlines in their SMS due to this particular reason along with other reasons.

Proposal
We suggest dropping the newline requirement from the SMS and allow origin-bound one-time code to be on the same line as the explanatory text. Here are some examples.

Valid origin-bound one-time code message as of today

747723 is your ExampleCo authentication code.
@example.com #747723

747723 is your ExampleCo authentication code.
@example.com #747723 sent by ExampleCo

@example.com #747723   Your ExampleCo authentication code is 747723.

Proposed valid origin-bound one-time code message

747723 is your ExampleCo authentication code. @example.com #747723

747723 is your ExampleCo authentication code. @example.com #747723 sent by ExampleCo

747723 is your ExampleCo authentication code. @example.com #747723 sent by @ExampleCo

Lots of sites embed an iframe from a different origin that handles authentication for them. This is sometimes a third party, or maybe it's a separate service run by the same party. One obvious example is icloud.com, which uses apple.com for authentication.

Should we support such cases? If so, why, and how would the spec need to change? If not, why not?