Google is aiming to dump SMS as a two-factor authentication method for Gmail and switch to a more secure approach using QR codes.
Reducing SMS abuse
In an email conversation with Forbes published in a story on Sunday, Gmail spokesperson Ross Richendrfer described this upcoming change. Instead of entering your number and getting a six-digit code via SMS, you’ll see a QR code that you scan with your phone’s camera. Richendrfer said Google is making this switch to “reduce the impact of rampant, global SMS abuse.”
In an email to ZDNET, Richendrfer provided more details.
Also: Gmail just made it easier to pay your bills — here’s how
Using two-factor authentication with your online accounts is highly recommended as a way to verify your identity and guard against suspicious or malicious logins. But some forms of 2FA are better than others. A common method is to receive a confirmation code via an SMS text message. However, that type of unencrypted communication can be exploited by cybercriminals.
Why QR codes?
If you’re wondering why QR codes, Richendrfer and Google security communications manager Kimberly Samra zeroed in on the vulnerabilities of SMS authentication.
A scammer can spoof such a message to trick you into sharing the correct verification code. You may not always have access to the device in which you receive the code. And through SIM swapping, a mobile carrier can be fooled into transferring the victim’s phone number, allowing the scammer to receive SMS texts, thus negating the security value of the authentication.
That’s why a dedicated authenticator app, such as Microsoft Authentication or Google Authenticator, is a more foolproof alternative. Physical security keys also are much more secure than SMS. But those methods can take time to set up, which is likely why Google is opting for a simpler but still stronger approach of QR codes.
Also: How to turn on Private DNS Mode on Android — and why it matters for privacy
Currently, Google uses SMS verification for two purposes — security and abuse control, Richendrfer told Forbes and ZDNET. The first purpose is to ensure that the company is dealing with the same user as in previous interactions. The second is to ensure that scammers aren’t abusing Google’s services. One example of the latter occurs when cybercriminals create Google accounts to send out spam and malware.
Another trick used by scammers is something called traffic pumping, also known as “artificial traffic inflation” or “toll fraud.” Popping up over the past two to three years, “it’s where fraudsters try to get online service providers to originate large numbers of SMS messages to numbers they control, thereby getting paid every time one of these messages is delivered,” according to Richendrfer.
There are benefits
Though QR codes may not be as ideal as authenticator apps or physical security keys, they do offer a couple of benefits, according to Google.
First, QR codes eliminate the numeric authentication code, so there’s no code for a scammer to intercept or exploit. Second, they’re not dependent on any anti-abuse or anti-SMS swapping protections that may be in place with your mobile carrier.
Also: Google Photos just got a useful editing feature that should’ve existed since the beginning
“SMS codes are a source of heightened risk for users,” Richendrfer added, according to Forbes. “We’re pleased to introduce an innovative new approach to shrink the surface area for attackers and keep users safer from malicious activity.”
When might this transition occur?
Richendrfer provided no specific timeframe for the changeover but said, “Over the next few months, we will be reimagining how we verify phone numbers” and told people to “look for more from us on this in the near future.” Given the weaknesses and limitations of SMS authentication, this switch couldn’t come soon enough.