Gmail will soon switch away from SMS codes in favor of QR codes

SMS has long been replaced by RCS and instant messaging apps for our daily communication, but it’s still used in some niche functions. For instance, many services still allow SMS as a medium for two-factor authentication, even though two-factor authenticator apps and even app-less approaches are superior. If you’ve been relying on SMS to get into your Gmail account, here’s some bad (but good) news: Gmail is looking to ditch SMS codes for two-factor authentication.

Forbes quotes Gmail spokesperson Ross Richendrfer as suggesting that Google wants to move away from SMS messages for authentication.

“Just like we want to move past passwords with the use of things like passkeys, we want to move away from sending SMS messages for authentication.”

Google hopes to ditch SMS codes and replace them with QR codes to reduce the impact of rampant, global SMS abuse. SMS codes sound convenient but bring many challenges. They can be phished, and people may not have access to the device to which the codes are being sent. They also rely on your carrier’s security practices, so if someone gets hold of your phone number, then there is no security value left in SMS.

Google says that it will be reimagining how it verifies phone numbers over the next few months. Instead of entering their phone number and receiving a six-digit code, users will see a QR code they need to scan with the camera app. This transition seemingly reduces the phishing risk of Gmail users being tricked into sharing their security codes with a bad actor since there is no code to share in the first place. It further removes reliance on carriers for anti-abuse protections.

The report doesn’t have more details on the exact specifics of QR code authentication, nor when Google will begin phasing out SMS authentication, just that it eventually will. We’ve contacted Google to learn more details about this upcoming shift, and we’ll keep you updated.