Gmail: Google plans to end SMS verification in favor of QR codes
For some time now, Google has been asking for a mobile phone number and verification when new customers create Gmail accounts. SMS verification is also used as part of the login process, to verify that a returning customer is indeed that customer.
Google did introduce an option to enable 2-step verification for accounts without phone number in 2024 already.
A report by Forbes suggest that this is going to change in the coming months. Google plans to end SMS verification in favor of another system.
Google told Forbes that it wants to move away from using SMS messages for authentication. Other services, including X, formerly Twitter, have abandoned SMS in the past as well.
Currently, Google uses SMS verification in two situations:
- When accounts get created, in order to limit the mass-creation of accounts by malware gangs and malicious groups.
- To verify the identity of a returning user.
While SMS verification is better than no verification at all, the system has its fair share of significant issues. For one, SMS are sent out in clear text, which means they can be easily read when intercepted. Phishing is another problem that has been on the rise and there is the underlying issue of being tied to a phone number. Fraudulent groups have managed to obtain access to user phone numbers in the past through social engineering attacks that targeted the user's Internet Service Provider.
Google noted a rise in SMS related criminal activities. One of them, which Google calls traffic pumping, attempts to get online services to send SMS messages to numbers that they control in order to get paid.
From SMS to QR Codes
Google plans to switch off SMS verification in favor of a new system that relies on QR codes. So, instead of being asked to verify access by entering a six digit code sent to a mobile phone number, users are asked to scan the QR code using the mobile phone's camera.
Google believes that this new system is beneficial to itself and its users. Primarily, because it is removing phishing from the equation. Since there is no number that is sent to a mobile phone number anymore, there is nothing that can be phished in that regard.
Closing Words
In its talk with Forbes, Google did not reveal when it plans to introduce the change, only that it plans to reimagine how it verifies phone numbers "over the next few months". The changes may roll out in the first half of 2025 at the earliest.
What is your take on the changes? Do you use SMS for verification currently, or do you prefer other means? Feel free to leave a comment down below.
Google doesn’t care a about anything but the sweet sound of cash registers that they control of take a skim from.
If you have only one device, they don’t care that this won’t work – you’re just a non-profit waste of bandwidth and storage.
I can understand the idea from a security point of view, but I think it will run into problems when trying to authenticate whether the user is the person making the request if the phone is on a different network than the PC.
I had this very same problem when trying to return a defective product to Amazon. The return was authorised, but I had to confirm it via a QR code. No problem scanning that, but then Amazon wanted me to login to their site on the phone as well as being logged in on the PC. That’s where the problem cropped up because I use a very long password on my PC to login to Amazon with which is as easy as pie because it’s a simple a copy/paste operation, but I don’t have Keepass on my phone and there was no way I was going to type all those alpha-numeric characters coupled with characters such as @, +, & etc., on such a small screen. To cut a long story short on that score Amazon told me I didn’t have to return the defective item and replaced it with a new one free of charge.
But I can imagine a similar problem cropping up on Google if there are users like me using two different networks which they will no doubt detect and assume the worst.
This makes no sense. I would need two devices to accomplish this. Maybe I am not understanding this. This is similar to a local mobile provider offering a free trial of their wireless, sending a code via text, however, the reason I was trying to get the free trial was that I had no service ( or very limited) to begin with in that location and couldn’t receive texts!!!!
Dan, Google supports other authentication options besides SMS / QR Code. My guess is that they show the QR code on desktop primarily while the main focus is on the official apps on mobile. These may use different authentication means altogether.
And how do they expect to scan a QR code that is displayed on phone’s screen?
“Users are asked to scan the QR code using the mobile phone’s camera.”
When there is only one phone, will a mirror work?
Moving away from SMS because?
For years “sim swapping”, number reassignment etc attacks have been increasing a lot.
and ‘Salt Typhoon’. The major intrusion into US mandated backdooring/taps of the telecom networks, means large scale interception is possible and likely even for “high end” individuals… so people with money and connections are demanding action.
Moving to QR because?
Better chance to match your smartphone with your email (it’s techical, but trust me on that. Also telecoms collusion.).
That is not so much possible when it’s just a old sms-capable device. QR is more of a ‘click on this verification link in a browser’ (really, it is not some flawless magic security, it is just text written in a obscure way.). Except it will be done on your phone and thus provide a lot of juicy bits for crosslinking them.
Generally speaking your smartphone is currently the de-facto unique indentifier of choice. Close enough to personally unique that it is practical for many purposes, like browser fingerprinting but with even more DII and PII.