Google is ditching SMS - and will now use QR codes for Gmail account authentication

News
By
published

Google is getting rid of shoddy SMS authentication

Isometric demonstrating multi-factor authentication using a mobile device.
(Image credit: Shutterstock)
  • Google is removing SMS messages as an authentication option
  • It will be replaced with on-screen QR codes
  • Removing SMS authentication reduces the risk of phishing and fraud

Google is officially moving away from using SMS messages in its Gmail account two-factor authenticator.

Gmail spokesperson Ross Richendrfer told Forbes, “we want to move away from sending SMS messages for authentication” to “reduce the impact of rampant, global SMS abuse.”

SMS authentication codes can be easily intercepted by hackers simply by porting your phone number to a new device - just one of the many security issues plaguing SMS messages for authentication.

QR codes to replace Gmail SMS authentication

Google will instead introduce on-screen QR codes that will have to be scanned with your chosen authentication device in order to verify that it is actually you trying to log in. This potentially adds an extra layer of biometric security for those who use a facial recognition or fingerprint scan to access their device or applications.

QR codes will also solve two other concerns related to SMS authentication methods. The first being that QR codes are more phishing resistant, as there will no longer be a security code to share with an attacker. The second being the authentication will no longer be reliant on the phone service provider’s abuse and fraud protections.

Authentication will still be reliant on the user having access to their mobile device, but removes a significant amount of the risk of abuse. For Google, it is also a win, as it cuts down on threat actors being able to run ‘traffic pumping’ campaigns.

In these campaigns, criminals will abuse online service providers to generate a huge amount of SMS messages to phone numbers they control, allowing them to generate revenue through access charges and intercarrier compensation.

In the future, Google hopes to move to a fully passkey supported authenticator system, but the move from passwords to passkeys hasn’t been as fast as Google had hoped, despite their best efforts to convince users to make the switch.

You might also like

TOPICS
Benedict Collins
Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

More about security
mobile phone

Forget phishing, now "mishing" is the new security threat to worry about
Android phone malware

Over 25 new malware variants created every single hour as smart device cyberattacks more than double in 2024
Microsoft Excel in use.

Microsoft sneaks out a free desktop-based version of Word, Excel and PowerPoint - then backtracks and says it was just a "test"
See more latest