Soon, there will be significant changes to the way your two-factor authenticated logins and Gmail account security are managed. Google has announced that it will no longer use text messages with 2FA codes to validate Gmail accounts. Instead, security measures like passkeys and QR codes that you can scan with your device will be used.
Google claims that as scammers and fraudsters utilize the technology to spoof user accounts, SMS messaging for 2FA has grown more difficult, as previously reported by Forbes.
This was confirmed to CNET by Ross Richendrfer, Google’s head of security and privacy public affairs. Google would be “reimagining” how it checks phone numbers, he claimed. Google services, including Gmail, will
switch from transmitting six-digit numbers via SMS to a user-verifiable QR code.
“Just like we want to move past passwords with the use of things like passkeys, we want to move away from sending SMS messages for authentication,” Richendrfer stated.
Eliminating phone carriers as a potential point of breach and cases of customers exchanging their SMS code with a fraudster who has deceived them are the objectives. According to Google, some con artists utilize SMS messages for a fraud known as “traffic pumping,” which enables them to get payment for sending SMS messages.
According to Richendrfer, employing QR codes will lessen the likelihood of phishing attempts, curb worldwide SMS misuse, and minimize consumers’ dependence on their phone providers.
“SMS codes are a source for heightened risk for users – we’re pleased to introduce an innovative new approach to shrink the surface area for attackers and keep users safer from malicious activity,” he stated.
In addition to its own security program, Google Authenticator, Gmail also employs various 2FA techniques, such directing users to the Gmail app to confirm their login.
An essential security measure
Google is hardly the only business that has abandoned SMS for two-factor authentication. SMS was taken off of service by Evernote last year, and Signal, a secure messaging software, did the same in 2022. Microsoft, Apple, and X have also moved their customers away from SMS. As early as 2017, Google began to indicate that it was moving away from SMS.
According to experts, the move is likely required for Google and is not surprising.
“Google’s decision to abandon SMS-based logins is a wise security move; although it might first appear inconvenient, it’s an essential step toward more robust protection, Amy Bunn, a McAfee internet safety advocate
“Cybercrooks can hijack phone numbers through SIM-swapping, intercept security codes, and even lock people out of their accounts,” Bunn stated. “That’s why more companies, including Google, are shifting to safer login methods like passkeys and authentication apps.”
Two-factor authentication via SMS “is probably the least-preferred 2FA (process),” according to Rob Allen, chief product officer of the security firm ThreatLocker. Although having 2FA is unquestionably preferable than not having it, it is also the least secure.
Two-factor authentication is substantially more secure when done using a mobile authenticator app, according to Allen.
“It’s good to see companies moving toward a more secure environment,” he stated.