Google updates Chrome and takes the opportunity to deploy in the browser an easier way to use certain verification codes sent by SMS.
We say it and we keep repeating it: to secure an account on a website, it is not enough to choose a strong and unique password. Strong authentication (also called two-factor authentication) should also be used, when the option is available. This adds an extra layer of security and helps limit case if your password is ever disclosed.
Security SMS that go from phone to PC
It turns out that Google had the idea, with version 93 of its Chrome web browser, to make the use of strong authentication more user-friendly. This usually takes the form of a code of a few digits, which is either sent by SMS or generated by an application, such as Authy or Google Authenticator. Of course, this supposes having associated his phone number with the account to be protected.
It is on the first scenario, sending a code by SMS, that Google has focused. Chrome 93, which has been available since August 31, 2021, actually offers to synchronize the codes received on the smartphone with your computer, so that you have them in front of you and, if possible, insert them directly into the input field provided. for this purpose – and, therefore, to be able to connect to the website concerned.
The technology used by Google was featured prominently online through a July 28 blog post. ” One-time passwords via SMS (or SMS OTP) are commonly used to verify a phone number, for example as a second step of authentication, or to verify payments on the web. », Recall the two authors of the publication, Yi Gu and Eiji Kitamura.
” Corn, they continue, the whole process of switching from desktop to mobile, opening the SMS app, memorizing and entering the OTP on the original website, back to the desktop, adds friction. It’s easy to make mistakes this way and it’s vulnerable to phishing attacks. “. So in this case, why not transfer this SMS code from the smartphone to the PC?
Practical, provided you meet all the prerequisites
These frictions can therefore be bypassed thanks to Google Chrome, but this requires first completing a list of prerequisites:
- You must have a desktop PC or a laptop PC (under Windows, Mac, Linux or Chrome OS).
- On the smartphone side, it must work with Android and have Google Play Services version 20.30.12 or higher.
- Install Google Chrome 93 (or higher, the functionality intended to continue) on the PC and smartphone that will participate in this transfer.
- Sign in to the same Google account via Chrome, both on the PC and on the mobile
- Connect to Android on the smartphone via “Settings” -> “Google”;
- Set Chrome 93 as the default web browser on the Android smartphone;
- Make Chrome 93 being displayed on the smartphone screen or, at least, be running in the background.
If you are willing to fully evolve in the Google ecosystem and if you have the patience to meet all of these prerequisites, then you will be able to benefit from this SMS code transfer and manipulate unique passwords almost seamlessly. Note that a demo page is available to simulate this transfer.
On a technical level, Google uses the WebOTP API (Web One Time Password) which is used to verify telephone numbers on the net. It is not limited to Google, as evidenced by Mozilla’s documentation about it: it “ provides a method to verify that a phone number belongs to the user, by generating a one-time password upon receipt of a specially formatted SMS message “.
It should be noted that among the various methods of two-factor authentication, the one based on SMS is not the most secure. There are certain specific attacks that can weaken it, such as SIM Swapping, which could have caused problems, including for tech bosses. But we must be right: Better double authentication by SMS than nothing at all.
The changes announced by Google for Chrome 93 set the stage. Now, it remains for the platforms to seize it.