Gmail to Phase Out SMS Code Authentication, Confirms Google

It’s no secret that using SMS text messages to receive security codes for logging in is not the best option. Many in the tech world are shifting from traditional passwords to more secure methods, like passkeys that use face recognition or fingerprints for access. Additionally, the use of code-generating apps and other strategies for two-factor authentication has gained popularity. Even though SMS was seen as a better option compared to having no security at all, it has significant drawbacks. Recently, I had the chance to speak with some insiders at Google, who revealed that Gmail will soon stop using SMS codes for authentication.

A spokesperson for Gmail, Ross Richendrfer, expressed the company’s desire to move away from SMS messages for identity verification. Google aims to replace SMS codes with QR codes in response to the widespread exploitation of SMS security. Right now, Gmail primarily relies on SMS for two main reasons: first, to confirm the identity of a user, and second, to prevent abuse of Google services. Criminals have been known to create hundreds of fraudulent Gmail accounts to send out spam and malware, which is a significant concern for Google.

Google employees Richendrfer and Kimberly Samra explained that SMS codes are vulnerable to various security issues. For example, they can be intercepted through phishing scams, or users might not always have access to the phone receiving the codes. Users also depend on their mobile carrier’s security, which can be problematic. If someone can trick a carrier into transferring a phone number, it undermines the security provided by SMS entirely.

Moreover, SMS codes are often central to many online scams. A growing scam called “traffic pumping” involves fraudsters manipulating online services to generate a high volume of SMS messages to numbers they control. Whenever an SMS is delivered to those numbers, the fraudsters profit from it.

To combat these issues, Google plans to change how phone number verification is done. In the coming months, instead of typing in a phone number to receive a six-digit code, users will see a QR code that they can scan using their phone’s camera. Although some people might not be enthusiastic about QR codes, this change is significant for Gmail users and their security.

Using QR codes can significantly enhance security in two main ways. First, it minimizes the risk of phishing attacks because there will be no code to share with malicious actors. Second, it reduces users’ reliance on mobile carriers to provide security against abuse, making the process more secure overall.

Richendrfer mentioned that SMS codes can increase the security risks for users, which is why they are excited to introduce this innovative new method. With this change in the works, many people are eagerly awaiting more information from Google about when these new procedures will be implemented. It’s a change that could improve user safety in the face of increasing online threats, and it’s clear that the move away from SMS authentication is long overdue.