Google to Replace SMS-based Two-Factor Authentication for Gmail Users

Google is making plans to transition from SMS-based two-factor authentication (2FA) for Gmail users, moving towards QR code verification as per a report by Forbes. This change aims to strengthen security and mitigate risks linked to phishing scams and SIM-swapping fraud, which attackers often employ to take control of users’ phone numbers and seize verification codes.

Current SMS-based Two-Factor Authentication Setup

Gmail users currently receive a six-digit authentication code through SMS after entering their passwords. This system, established in 2011, has been one of the most widely adopted security methods, despite the availability of newer and more secure alternatives. However, Google is set to introduce QR codes, which users will scan with their smartphone cameras for identity verification.

Vulnerabilities of SMS-based Two-Factor Authentication

While SMS-based 2FA provides an additional layer of security, it has become increasingly susceptible to cyberattacks. SIM swapping, where fraudsters transfer a victim’s phone number to a different SIM card, allows them to intercept verification messages, resulting in significant security breaches. Moreover, hackers frequently deceive users into disclosing their one-time SMS codes through phishing attempts, making SMS authentication a less robust security solution.

Industry Shift Away from SMS Verification

Google is not the first entity to depart from SMS-based authentication. X (formerly Twitter) has also opted to move away from SMS verification due to worries about SMS fraud, where attackers take advantage of telecom vulnerabilities to exploit automated text message verifications.

The Future of QR Code Authentication

Although Google has yet to announce a specific date for the official rollout, the transition to QR code authentication is anticipated to occur within the coming months. Besides QR codes, Google provides various more secure login methods, including:

• Google Prompts: Users receive a pop-up notification on their registered device, enabling them to approve or deny a login attempt.
• Authenticator Apps: Time-based one-time passwords (TOTP) generated by Google Authenticator or other third-party applications like Authy.
• Security Keys: Physical security keys, such as YubiKey, deliver hardware-based authentication for enhanced protection.

Potential Changes to Phone Call-based Authentication

At this point, it remains uncertain whether Google will also stop offering phone call-based authentication, which a portion of users prefer over SMS codes.