Google Drops SMS Authentication, Introduces QR Codes for Gmail Security

Oyinebiladou Omemu -

For years, we've all known that getting a six-digit code via SMS to log into Gmail is insecure. The risks span SIM swapping, phishing, interception, you name it. Ironically, you could Google "Why SMS authentication is risky" and find countless articles detailing its flaws, yet somehow, Google has only just decided to do something about it. But, better late than never, right?

Google is finally ditching SMS authentication codes in favor of QR codes, a long overdue move. Over the next few months, instead of waiting for a six-digit code to be texted to your phone, you’ll scan a QR code with your smartphone camera to verify your identity. So, no more codes to be stolen, no more hackers tricking people into revealing them, and no more relying on mobile carriers to keep things secure.

The problem with SMS codes is that they're easy to exploit. SIM swapping, where an attacker transfers your number to their device, is a significant risk. Google's switch to QR codes eliminates these vulnerabilities, as there's no code to steal or leak.

But there’s another reason Google is making the shift, and it’s not just about user security, it’s also about stopping a sneaky scam called traffic pumping. This fraud scheme involves bad actors tricking service providers into sending out massive amounts of SMS messages to numbers they control, racking up charges, and making money off every text. By removing SMS authentication altogether, Google is cutting off another avenue for scammers to exploit.

This isn’t the first time Google has played around with alternative authentication methods. QR codes were previously tested in limited settings, but now they’re rolling out on a much larger scale. The tech giant has been pushing for a passwordless future, with passkeys and other security improvements, so replacing SMS authentication with QR codes is just another step in that direction.

Google's move away from SMS authentication is a step in the right direction, but it's not exactly breaking new ground. Competitors like Microsoft, Apple, and Proton have been ahead of the curve for a while. For instance, Microsoft moved from SMS authentication to its Authenticator app, Apple also pushed passkeys using biometrics and cryptographic keys, and Proton Mail implemented Proton Pass, an integrated authenticator for 2FA.

This change should have happened years ago, but hey, at least they finally Googled the risks and decided to do something about it.