In a significant shift, Google plans to discontinue support for SMS-based two-factor authentication (2FA) for Gmail accounts, according to a recent report. The tech giant is set to implement QR codes as a replacement for the current SMS codes sent to users, a move aimed at bolstering the security of Google accounts against potential threats.
Gmail Set to Replace SMS Codes with QR Codes
A report from Forbes indicates that the transition to QR codes will occur in the coming months. Currently, users receive a six-digit code via SMS, which they must enter after entering their correct password to access their Google accounts. This SMS-based 2FA method was introduced by Google in 2011, paving the way for more secure options that have emerged over time.
When SMS-based codes are phased out, Gmail users will need to scan a QR code presented during the login process using their smartphone camera after entering their password. This updated method aims to enhance security by reducing the risk associated with SMS-based authentication.
“SMS codes are a source of heightened risk for users. We’re pleased to introduce an innovative new approach to shrink the surface area for attackers and keep users safer from malicious activity,” said Gmail spokesperson Ross Richendrfer in a statement to the publication on Sunday.
The vulnerability of SMS-based 2FA includes the potential for scammers to deceive users into sharing their codes or executing “SIM swapping” attacks to hijack their phone numbers. Similar to moves made by X (formerly Twitter), Google is also addressing the issue of SMS fraud, where scammers manipulate the system to receive payments through text messages sent to specific numbers.
Google also offers an option for users to receive their authentication codes via phone calls instead of SMS, though it remains uncertain if this feature will be discontinued alongside SMS support. As an alternative, Google prompts users with a login notification on their mobile devices, allowing them to approve the login with a simple tap. The company additionally supports time-based one-time passwords (TOTP) through password managers and applications like Google Authenticator.
