Google will drop support for SMS-based two-factor authentication (2FA) for Gmail, according to a report. The company will reportedly introduce support for quick response (QR) codes to replace SMS codes that are currently sent to Gmail users. The move is expected to increase the security of Google accounts, as malicious users can trick users into sharing their login codes received over SMS, bypassing the security offered by the 2FA system that is old, but still supported on several platforms.
Gmail to Drop SMS Authentication Codes to Combat SMS Abuse
According to a Forbes report, Google will roll out QR codes as a replacement for its SMS authentication codes in the coming months. The company currently sends users a six-digit code via SMS, which must be entered after providing the correct password when logging into a Google account. It was the first form of 2FA introduced by the search giant in 2011, and more secure options have been introduced in subsequent years.
Once the company phases out support for SMS-based 2FA codes, Gmail users will be presented with a QR code, which must be scanned using the camera app on their smartphone. The company believes that these QR codes will offer a more secure way to authenticate a user, after the correct password has been submitted.
“SMS codes are a source of heightened risk for users. We’re pleased to introduce an innovative new approach to shrink the surface area for attackers and keep users safer from malicious activity,” Gmail spokesperson Ross Richendrfer told the publication on Sunday.
Supporting access to SMS-based 2FA presents several security challenges — scammers can trick users into sharing SMS codes, or target specific users with “SIM swapping” attacks to get access to their phone number. Like X (formerly Twitter), Google is also looking to crack down on SMS fraud, where scammers prompt companies to send texts to specific numbers to receive money when each message is delivered.
Google currently allows users to receive the code via a phone call, instead of an SMS, and it is currently unclear whether this option will also be retired. The company usually displays a login prompt on a user’s smartphone as a form of MFA, and users can tap a button to complete the login process. Google also supports time-based one time passwords (TOTP) supported on password managers or apps like Google Authenticator.
