Google is ditching SMS - and will now use QR codes for Gmail account authentication

News
By published

Google is getting rid of shoddy SMS authentication

Isometric demonstrating multi-factor authentication using a mobile device.
(Image credit: Shutterstock)
  • Google is removing SMS messages as an authentication option
  • It will be replaced with on-screen QR codes
  • Removing SMS authentication reduces the risk of phishing and fraud

Google is officially moving away from using SMS messages in its Gmail account two-factor authenticator.

Gmail spokesperson Ross Richendrfer told Forbes, “we want to move away from sending SMS messages for authentication” to “reduce the impact of rampant, global SMS abuse.”

SMS authentication codes can be easily intercepted by hackers simply by porting your phone number to a new device - just one of the many security issues plaguing SMS messages for authentication.

Latest Videos From

QR codes to replace Gmail SMS authentication

Google will instead introduce on-screen QR codes that will have to be scanned with your chosen authentication device in order to verify that it is actually you trying to log in. This potentially adds an extra layer of biometric security for those who use a facial recognition or fingerprint scan to access their device or applications.

QR codes will also solve two other concerns related to SMS authentication methods. The first being that QR codes are more phishing resistant, as there will no longer be a security code to share with an attacker. The second being the authentication will no longer be reliant on the phone service provider’s abuse and fraud protections.

Authentication will still be reliant on the user having access to their mobile device, but removes a significant amount of the risk of abuse. For Google, it is also a win, as it cuts down on threat actors being able to run ‘traffic pumping’ campaigns.

In these campaigns, criminals will abuse online service providers to generate a huge amount of SMS messages to phone numbers they control, allowing them to generate revenue through access charges and intercarrier compensation.

In the future, Google hopes to move to a fully passkey supported authenticator system, but the move from passwords to passkeys hasn’t been as fast as Google had hoped, despite their best efforts to convince users to make the switch.

You might also like

TOPICS
Benedict Collins
Benedict Collins
Senior Writer, Security

Benedict is a Senior Security Writer at TechRadar Pro, where he has specialized in covering the intersection of geopolitics, cyber-warfare, and business security.

Benedict provides detailed analysis on state-sponsored threat actors, APT groups, and the protection of critical national infrastructure, with his reporting bridging the gap between technical threat intelligence and B2B security strategy.

Benedict holds an MA (Distinction) in Security, Intelligence, and Diplomacy from the University of Buckingham Centre for Security and Intelligence Studies (BUCSIS), with his specialization providing him with a robust academic framework for deconstructing complex international conflicts and intelligence operations, and the ability to translate intricate security data into actionable insights.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.