The proposal has two main objectives. The first is to come up with a way for OTP messages to be associated with a URL: this can be done easily enough by including the login URL within the message itself. The second is to standardize the format of two-factor authentication (2FA) and OTP messages so that browsers and mobile apps can automatically read the incoming code and extract it to the appropriate website, without any user interaction necessary.
It’s hoped that by automating the process, users are less likely to fall victim to scams but inadvertently entering codes on phishing sites. If the auto-complete function fails it will mean there’s a mismatch between the website’s actual URL and the website they’re trying to access — if they’re not the same they’ll be instructed to stop the process.
The ability to pull OTP codes from SMS messages has already been added to iOS 13, but the proposal — which has also been backed by Google engineers — would make it a multi-platform standard for everyone. With these major tech giants behind the standard — and others likely to follow suit — the companies that offer OTP services will be expected to fall in line. According to ZDNet, one well-known provider, Twilio, has already expressed interest in the new format.