Google has announced plans to phase out SMS text messages for multi-factor authentication (MFA) in favor of QR codes. The tech giant first introduced SMS-based one-time passcodes for Gmail in 2011, but the method has become increasingly insecure over the years.
In 2018, fewer than 10 percent of users utilized SMS for MFA. The method has been criticized due to vulnerabilities associated with SS7, a protocol that allows hackers to redirect SMS messages, and SIM swapping, where attackers take over a victim’s phone number to access their codes.
In 2016, the U.S. government’s National Institute of Standards and Technology (NIST) advised against using SMS for MFA. The prevalence of SIM swapping, along with rising fraud schemes like traffic pumping, has further diminished the reliability of SMS codes.
Google will replace SMS codes with a QR code system. Users will scan a QR code displayed on their screen using their phone’s camera instead of entering a six-digit code sent via text. This change aims to enhance security by reducing the risks associated with SMS-based authentication.
While SMS will not be entirely eliminated, it will be used sparingly for identity confirmation. Users who have not implemented security keys or tokens will need to adapt to the new QR code system for logging in.
This initiative reflects Google’s commitment to improving user security by minimizing potential attack surfaces. More details on the transition are expected in the coming months.
For further information, visit The Register.