Google is planning to end support for SMS-based two-factor authentication (2FA) for Gmail, according to Forbes. While sending a code via text has been a long-standing method to verify identity, it comes with significant security concerns that Google aims to address.
The goal is to “reduce the impact of rampant, global SMS abuse,” as Gmail spokesperson Ross Richendrfer told Forbes. To replace SMS, Google will introduce a new system that uses QR codes. Instead of entering a phone number and waiting for a code, users will scan a QR code with their phone. This maintains smartphone reliance while eliminating the security vulnerabilities associated with SMS.
SMS-based 2FA, while better than nothing, has clear security flaws. Criminals can intercept text messages by convincing a mobile carrier to port a number to a new device or by using a tactic called “traffic pumping,” where multiple SMS messages are sent to a criminal-controlled number. Given the volume of SMS messages Google sends for verification and anti-spam measures, it’s easy to see how this method can be exploited.
Google, along with other companies, aims to transition to passkeys, ultimately moving away from passwords altogether. However, the adoption of passkeys is slow, so enhancing the security of existing methods remains crucial.
