Here's why your Apple two-factor texts include strange tags

The move helps thwart phishing attacks.

Sponsored Links

Apple's Messages icon displayed on a phone screen is seen in this illustration photo taken in Krakow, Poland on August 26, 2021. (Photo Illustration by Jakub Porzycki/NurPhoto via Getty Images)
Jakub Porzycki/NurPhoto via Getty Images

If you've noticed that Apple's two-factor authentication texts include much more extra text than you're used to, don't fret — there's a good reason for it. As Macworld explains, Apple has implemented a previously proposed system that uses domain-bound codes for sign-ins. The extra tags (such as "@apple.com #123456 %apple.com") are meant to improve the trustworthiness of autofilling text codes in platforms starting with iOS 14, iPadOS 14 and macOS Big Sur.

The technique theoretically discourages more sophisticated phishing attacks that try to intercept and redirect two-factor verification messages. If you're using one of those more recent operating systems, you'll only get a code autofill suggestion if the domain of the site requesting a code matches the one in the text. A phishing site can't simply prompt Apple for a code and expect an autofill prompt, then. If you don't get an autofill prompt, there's a good chance the site is bogus.

Apple quietly started delivering codes in the new format around November 2021. The concept isn't necessarily limited to Apple's ecosystem, but it has yet to be widely adopted elsewhere. Still, don't be surprised if these lengthy 2FA texts become more commonplace and potentially thwart some phishing campaigns.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission. All prices are correct at the time of publishing.
View All Comments
Here's why your Apple two-factor texts include strange tags