Gmail to ditch SMS authentication.
Update, Feb. 26, 2025: This story, originally published Feb. 23, now includes additional commentary regarding the potential security implications of the decision to deprecate SMS from the Gmail account authentication armory.
It is certainly no secret that using SMS text messages for security codes used to authenticate your identity is far from ideal. Just as the tech industry is slowly moving away from passwords to passkeys that take a more secure biometric approach to logins, the use of code-generating apps and even app-less approaches to two-factor authentication have increasingly become the norm in recent years. But SMS has always been said to be better than no authentication at all, which is hard to argue with. Now, following a privileged conversation with Google insiders, I can exclusively reveal that Gmail is finally looking to ditch SMS codes for authentication. Here’s everything you need to know.
Gmail Spokesperson: “We Want To Move Away From Sending SMS Messages For Authentication”
“Just like we want to move past passwords with the use of things like passkeys,” Gmail spokesperson Ross Richendrfer told me, “we want to move away from sending SMS messages for authentication.” So began an email conversation with Google that revealed, for the first time, SMS codes are to be ditched when it comes to authentication and replaced with QR codes to “reduce the impact of rampant, global SMS abuse.”
Google currently uses SMS verification primarily for two distinct purposes: security and abuse control. The former, Richendrfer explained, is to verify “that we’re dealing with the same user as before,” while the latter ensures fraudsters don’t abuse Google’s services. An example of this, as provided by Google, was when criminals create thousands of Gmail accounts in order to distribute spam and malware.
Why Gmail Is Getting Rid Of SMS Codes
SMS codes present numerous security challenges, according to Richendrfer and his colleague at Google, Kimberly Samra. They can be phished, people don’t always have access to the device the codes are sent to, and they are reliant on the security practices of the user’s carrier. “If a fraudster can easily trick a carrier into getting hold of someone’s phone number,” Richendrfer said, any “security value of SMS goes away.”
Then there’s the fact that SMS verification codes are also often at the very heart of many criminal operations. One relatively new scam that Google has observed across the last couple of years is what it refers to as traffic pumping. I’ve also heard this called artificial traffic inflation and toll fraud, but the methodology is always the same. Over to Richendrfer and Samra to explain: “It’s where fraudsters try to get online service providers to originate large numbers of SMS messages to numbers they control, thereby getting paid every time one of these messages is delivered.”
From SMS To QR Codes For Gmail Authentication
If you are already using a more secure method of authentication for your Gmail account, be that anything from the Google 2FA code app, Google prompts or passkeys, then you don’t have to worry about this latest announcement as you’ve already moved on from the least effective method of keeping attackers out of your account. For everyone else, it would appear that far too many people still rely upon SMS, whether out of update apathy or ignorance. Please read on. I’d recommend changing to the aforementioned authentication methods now, anyway, for obvious reasons.
“Over the next few months, we will be reimagining how we verify phone numbers,” Richendrfer told me; “Specifically, instead of entering your number and receiving a 6-digit code, you’ll see a QR code being displayed, which you need to scan with the camera app on your phone.”
I’m not the world’s greatest fan of QR codes as many of my articles can attest to, but this remains a momentous security moment for Google and Gmail users.
The benefits that QR codes for authentication can offer are threefold, according to Google:
- Reducing the phishing risk of Gmail users being tricked into sharing their security codes with a threat actor. Primarily, and rather obviously, since there’s no such code to share in the first place.
- Removing reliance, in most cases at least, of Google users on their phone carrier for anti-abuse protections.
- Helps reduce the impact of rampant, global SMS abuse.
“SMS codes are a source of heightened risk for users,” Richendrfer concluded, “we’re pleased to introduce an innovative new approach to shrink the surface area for attackers and keep users safer from malicious activity.” Signing off with an intriguing “look for more from us on this in the near future,” but without an actual date for implementing the changes for Google account holders and Gmail users, it’s something I’m sure we can all agree cannot come soon enough.
Replacing Gmail SMS Authentication With QR Codes—An Expert View
“It’s good to see Google get with the times and remove SMS multi-factor authentication due to its well-known insecurities and susceptibility to being exploited,” Mike Britton, chief information officer at Abnormal Security, said; “However, although QR codes are a more secure replacement, they don’t come without their risks when it comes to multi-factor authentication themed attacks.”
According to Britton, Abnormal Security threat analysis revealed that QR codes are actually among the “most prevalent in fake notifications for multi-factor authentication activity,” comprising some 27% of all QR attacks observed by the company.”
The problem is, Britton warned, that as QR codes represent a relatively new attack vector, the kind of scams “don’t have the kind of ingrained suspicion that we’ve come to expect from other phishing techniques.” And that, dear reader, is a win-win for threat actors.
Whether you are talking about your Google account, which includes your Gmail, as you should understand by now, or anything else, it is vital, Britton said, that you must “question any organization which is proactively asking for credentials, avoid providing sensitive information online and be suspicious of any links sent to you via email.”