Google is set to replace SMS-based authentication for Gmail with QR codes, a move aimed at enhancing security and combating global SMS abuse. This change, revealed in a report by Forbes’ Davey Winder, follows discussions with Google insiders.
Why SMS Codes Are Being Dropped
SMS authentication, while widely used, has long been criticized for its vulnerabilities. Gmail spokesperson Ross Richendrfer explained, “Just like we want to move past passwords with passkeys, we want to move away from sending SMS messages for authentication.”
Google currently uses SMS verification for two primary purposes:
- Security: Ensuring users are who they claim to be.
- Abuse Control: Preventing fraudulent activities, such as the mass creation of Gmail accounts for spamming and malware distribution.
However, SMS codes come with significant risks. Richendrfer, along with Google colleague Kimberly Samra, highlighted the following issues:
- Phishing Attacks: Users can be tricked into sharing their codes with malicious actors.
- Device Accessibility: Users may not always have access to the device receiving the SMS.
- Carrier Vulnerabilities: Fraudsters can deceive mobile carriers into transferring phone numbers, rendering SMS security ineffective.
One emerging threat Google has identified is traffic pumping, also known as artificial traffic inflation or toll fraud. In this scheme, cybercriminals manipulate online services into sending large volumes of SMS messages to numbers they control, profiting from each message delivered.
Transition to QR Codes for Authentication
To address these risks, Google will introduce QR code-based authentication in the coming months. Instead of entering a phone number and receiving a 6-digit SMS code, users will scan a QR code using their phone’s camera.
This shift offers two key benefits:
- Phishing Protection: Without a static code, users cannot be tricked into sharing sensitive information.
- Reduced Dependence on Carriers: Google users will no longer rely on mobile carriers for security, minimizing the risk of SIM-based attacks.
Richendrfer emphasized, “SMS codes are a source of heightened risk for users. We’re introducing an innovative approach to shrink the attack surface and keep users safer.”
While Google has not provided an exact implementation timeline, the company hinted at more updates in the near future.
This change aligns with Google’s broader efforts to move beyond traditional passwords and SMS-based authentication, embracing more secure methods like passkeys and biometrics.