Google testing auto-fill of 2FA codes from Android Messages

Autofill from SMS has been a feature in Android for many years now. It used an API that allowed apps to read the users messages to mostly authenticate the login credentials. Now, it has been reported that Google is testing the ability to let Messages autofill SMS-based 2FA keys too in any app.

It was last year when this feature was first noted with a “verification code autofill” setting appearing as an update to Google Play services. This would supersede Android Retriever API and allow this setting to be used with any app. Earlier developers would be required to explicitly enable the option with the API and it would need specific formatting cues for the message so that it can be read easily by the app.

The setting seems to be appearing to limited users for now, specifically those running Play Services version 20.04.12 and Google Messages version 5.5.096 which is the latest beta version. When enabled, users will see show a autofill suggestion box with the text “Autofill code from Messages” in the app you are trying to verify with. Google might be testing to work out the possible bugs and kinks in the feature before deciding to roll it out widely to all users. There does not seem to be a clear manual way to turn on the feature yet.

Users must note that by giving direct system level access to verification codes will reduce the security of your 2FA by a significant amount. Although SIM-Swap attacks are not very prevalent in India like in the US, it is still risk worth considering. Most apps in India do not have the option for a more secure 2FA method, and we hope that will change soon.