Google’s Plan to Discontinue SMS-Based Two-Factor Authentication

Google is planning to end support for SMS-based two-factor authentication in Gmail, as Forbes reports. The company has long offered the option to send a code to users’ personal phones via text message to verify their identity. However, this method has inherent security issues that Google aims to address.

The Reason Behind the Change

The primary goal is to "reduce the impact of rampant, global SMS abuse," according to Gmail spokesperson Ross Richendrfer, who spoke with Forbes. To achieve this, Google will replace SMS-based authentication with QR codes. Instead of entering a phone number and receiving a text with a code, users will be presented with a QR code to scan with their phone. This shift reduces the reliance on the less secure SMS messages, although it still requires the use of a smartphone.

Security Concerns with SMS Authentication

Using SMS two-factor authentication is better than not using any form of two-factor authentication, but it is not as secure as other methods. Criminals can intercept messages by convincing carriers to port a user’s number to a new phone. They can also make money by tricking providers into sending multiple SMS messages to a controlled number through a process known as "traffic pumping." Given the large volume of SMS messages Google sends for verification and spam prevention, it’s clear why SMS poses a problem.

The Future of Authentication

Ultimately, Google and similar companies aim to utilize passkeys and move away from passwords entirely. However, adoption is slow, and enhancing the security of the current, more familiar process remains important.