Gmail users will soon see a big change in the way their accounts are secured and how their two-factor authenticated logins are handled. Google is planning to stop sending 2FA codes via text message to verify Gmail accounts in favor of security tools such as passkeys and QR codes that users would scan with their devices.
Google is finding that using SMS messaging for 2FA has become increasingly problematic as scammers and fraudsters use the technology to spoof user accounts. The news was first reported by Forbes.
Ross Richendrfer, head of security and privacy public relations at Google, confirmed the report to CNET.
“Just like we want to move past passwords with the use of things like passkeys, we want to move away from sending SMS messages for authentication,” he said.
According to Richendrfer, over the next few months, Google will be “reimagining” how the company verifies phone numbers. Gmail and other Google services will shift from texting six-digit codes over SMS to sending a QR code that a user would verify.
The goal would be to eliminate instances of users sharing their SMS code with a scammer who has tricked them, and eliminating phone carriers as a possible point of breach. Some scammers, Google says, use SMS messages for a scam called “traffic pumping” that allows them to get paid for SMS messages.
Richendrfer says using QR codes will reduce the risks of phishing, cut down on global SMS abuse and make users less reliant on their phone carriers.
“SMS codes are a source for heightened risk for users – we’re pleased to introduce an innovative new approach to shrink the surface area for attackers and keep users safer from malicious activity,” he said.
Gmail also uses other 2FA methods such as sending a user to the Gmail app to verify a login as well as its own security software, Google Authenticator.
A necessary move
Google is not the only company to move away from SMS for 2FA. Last year, Evernote removed SMS from its service, and the secure messaging app Signal removed it in 2022. X, Apple and Microsoft have also transitioned users off SMS, too. Google has been signaling a transition away from SMS since as early as 2017.
Experts say the move is not unexpected and probably necessary for Google.
“Google moving away from SMS-based logins is a smart step for security – and while it may seem like an inconvenience at first, it’s a necessary step toward stronger protection, Amy Bunn, an online safety advocate at McAfee, told CNET.
“Cybercrooks can hijack phone numbers through SIM-swapping, intercept security codes, and even lock people out of their accounts,” Bunn said. “That’s why more companies, including Google, are shifting to safer login methods like passkeys and authentication apps.”
Rob Allen, chief product officer at the security company ThreatLocker said that SMS for two-factor authentication, “is probably the least-preferred 2FA (process). While it is definitely better to have than no 2FA, it is certainly the least secure.”
Allen said that using an authenticator app on a mobile phone is a much-more secure way to utilize two-factor authentication.
“It’s good to see companies moving towards a more secure environment,” he added.
Read the full article here