Google to Phase Out SMS-Based Authentication Codes

Whenever users forget their Google account password, they are presented with several familiar account recovery options. However, one of these options is soon to disappear.

In an exclusive conversation with a Google insider, cybersecurity writer Davey Winder uncovered surprising news: Google is set to discontinue authentication and account recovery via SMS verification codes.

The Shift Away from SMS Authentication

The technology industry is gradually transitioning from traditional passwords to passkeys. This means moving away from character-based passwords to authentication methods secured by PINs or biometric verification, such as facial recognition and fingerprint scanning.

Gmail spokesperson Ross Richendrfer confirmed the change, stating: “Just as we aim to move beyond passwords with technologies like passkeys, we also want to eliminate SMS-based authentication.” Google plans to replace SMS verification with QR codes to minimize the global misuse of SMS.

Currently, Google uses SMS verification for two purposes: security and abuse prevention. Richendrfer explained that, in terms of security, SMS authentication helps Google confirm it is interacting with the correct user. On the other hand, the abuse prevention mechanism prevents malicious actors from exploiting Google’s services.

Cybercriminals have been known to create thousands of fraudulent Gmail accounts to spread spam and malware, making SMS-based verification a critical tool in preventing abuse.

Why Google Is Ending SMS-Based Authentication

According to Richendrfer and his team, SMS verification codes come with inherent risks. Attackers can steal user identities, users may lose access to their phones, and the security of SMS codes depends on the reliability of mobile service providers.

“If a hacker tricks a mobile carrier into transferring a victim’s phone number to their device, the security value of SMS authentication is completely lost,” Richendrfer explained.

Additionally, SMS authentication has become a key component in certain fraudulent schemes. Over the past few years, Google has tracked and identified a scam known as “traffic pumping.” This method, previously referred to as traffic inflation or toll fraud, involves cybercriminals manipulating online services to send large volumes of SMS messages to phone numbers under their control. The attackers then collect fees each time a message is sent.

Upcoming Changes

“In the coming months, we will introduce a new approach to phone-based authentication,” Richendrfer stated. “Instead of entering a phone number and receiving a six-digit SMS code, users will see a QR code that they must scan with their phone’s camera.”

Google has outlined several security benefits of QR code authentication:

1. Reduced phishing risk: Since users will no longer receive a security code, they cannot be tricked into sharing it with cybercriminals.
2. Less reliance on mobile carriers: While not a solution for all cases, this change will reduce users’ dependency on network providers for security.

“SMS-based verification codes pose significant risks to users,” a Google spokesperson concluded. “We’re excited to introduce an innovative new method that enhances security and minimizes exposure to cyber threats.”

While Google has not yet announced an official phase-out date for SMS verification codes, this shift is expected to be widely welcomed by users.