If you’ve noticed that Apple’s two-factor authentication texts include much more extra text than you’re used to, don’t fret — there’s a good reason for it. As Macworldexplains, Apple has implemented a previously proposed system that uses domain-bound codes for sign-ins. The extra tags (such as “@apple.com #123456 %apple.com”) are meant to improve the trustworthiness of autofilling text codes in platforms starting with iOS 14, iPadOS 14 and macOS Big Sur.
The technique theoretically discourages more sophisticated phishing attacks that try to intercept and redirect two-factor verification messages. If you’re using one of those more recent operating systems, you’ll only get a code autofill suggestion if the domain of the site requesting a code matches the one in the text. A phishing site can’t simply prompt Apple for a code and expect an autofill prompt, then. If you don’t get an autofill prompt, there’s a good chance the site is bogus.
Apple quietly started delivering codes in the new format around November 2021. The concept isn’t necessarily limited to Apple’s ecosystem, but it has yet to be widely adopted elsewhere. Still, don’t be surprised if these lengthy 2FA texts become more commonplace and potentially thwart some phishing campaigns.