Google to Phase Out SMS MFA in Favor of QR Codes
Google has announced that it will stop using SMS text messages for multi-factor authentication (MFA), which is a way to make online accounts safer. Instead, the company plans to focus on newer and more secure methods.
The use of SMS for sending one-time passcodes to verify users’ identity began in February 2011 for Gmail. However, by 2018, less than 10% of users chose this option. In 2021, Google made MFA mandatory for many of its services, but the security of SMS has come into question due to various vulnerabilities. Hackers and malicious individuals can easily exploit weaknesses in the mobile network to redirect text messages, resulting in unauthorized access to accounts. Additionally, a technique known as SIM swapping allows someone to take over another person’s phone number, thereby gaining access to their SMS codes.
Back in 2016, the U.S. government’s National Institute of Standards and Technology (NIST) recommended that text messaging be phased out as a method of multi-factor authentication. This advice is relevant because if a thief successfully steals someone’s phone, they could reset passwords on many accounts, especially since SMS codes often appear on the device’s home screen without needing to unlock it.
The increasing problem of SIM swapping has also made SMS authentication less effective. If a skilled manipulator can convince a mobile carrier that they are the account holder requesting a new SIM card, they can easily bypass security measures. In 2024, the Cybersecurity and Infrastructure Security Agency (CISA) urged people to shift away from using SMS for authentication due to these security risks.
Another issue related to SMS is fraud. Google has noticed a rise in “traffic pumping,” where scammers generate unnecessary one-time passwords sent via SMS, costing companies money. For example, Elon Musk mentioned that when he took over Twitter, these scams were costing the platform around $60 million each year in SMS fees.
Due to these issues, Google is making significant changes to how it handles phone number verification. According to Google’s privacy spokesperson Ross Richendrfer, instead of entering a phone number to receive a six-digit code, users will soon see a QR code that they can scan with their phone’s camera. This method is intended to enhance security by reducing the reliance on SMS codes, which pose risks.
While Google will not completely eliminate SMS, as it may still be necessary for some identity verifications, the process of logging in will increasingly involve QR codes for those who do not use security keys or tokens. Richendrfer stated that SMS codes present a higher risk for users, and the new approach aims to minimize vulnerabilities to help protect users from malicious actions.
In summary, Google is shifting towards more secure methods of verification. Users can look forward to innovative changes that enhance account safety while reducing their reliance on SMS texts for authentication. Further details on these changes will be revealed soon.
