Google is ditching SMS - and will now use QR codes for Gmail account authentication

Isometric demonstrating multi-factor authentication using a mobile device.

(Image credit: Shutterstock)

Google is removing SMS messages as an authentication option
It will be replaced with on-screen QR codes
Removing SMS authentication reduces the risk of phishing and fraud

Google is officially moving away from using SMS messages in its Gmail account two-factor authenticator.

Gmail spokesperson Ross Richendrfer told Forbes, “we want to move away from sending SMS messages for authentication” to “reduce the impact of rampant, global SMS abuse.”

SMS authentication codes can be easily intercepted by hackers simply by porting your phone number to a new device - just one of the many security issues plaguing SMS messages for authentication.

QR codes to replace Gmail SMS authentication

Google will instead introduce on-screen QR codes that will have to be scanned with your chosen authentication device in order to verify that it is actually you trying to log in. This potentially adds an extra layer of biometric security for those who use a facial recognition or fingerprint scan to access their device or applications.

QR codes will also solve two other concerns related to SMS authentication methods. The first being that QR codes are more phishing resistant, as there will no longer be a security code to share with an attacker. The second being the authentication will no longer be reliant on the phone service provider’s abuse and fraud protections.

Authentication will still be reliant on the user having access to their mobile device, but removes a significant amount of the risk of abuse. For Google, it is also a win, as it cuts down on threat actors being able to run ‘traffic pumping’ campaigns.

In these campaigns, criminals will abuse online service providers to generate a huge amount of SMS messages to phone numbers they control, allowing them to generate revenue through access charges and intercarrier compensation.

In the future, Google hopes to move to a fully passkey supported authenticator system, but the move from passwords to passkeys hasn’t been as fast as Google had hoped, despite their best efforts to convince users to make the switch.

This is our guide to the best password manager
Take a look at the best parental control app
Google Cloud introduces quantum-safe digital signatures

TOPICS

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.