Google is planning to end support for SMS-based two-factor authentication in Gmail, Forbes reports. Sending a code to your personal phone via text message has long been an option Google offered to verify your identity, but it has unavoidable security issues the company wants to address.
The goal is to “reduce the impact of rampant, global SMS abuse,” Gmail spokesperson Ross Richendrfer tells Forbes, and the solution, at least for now, is QR codes. Instead of entering your number and receiving a text with a code you need to enter, Google will throw up a QR code you need to scan with your phone. The reliance on your smartphone is still present, but now you don’t have to rely on the lax security of SMS messages.
Why Google is Ending SMS-Based Two-Factor Authentication
Google’s decision to phase out SMS for 2FA stems from growing security concerns. This section explores the motivations behind the shift.
Security Vulnerabilities in SMS :
SMS is inherently insecure due to risks like interception and SIM swapping. Unlike encrypted methods, SMS messages can be easily compromised by attackers.
SIM Swapping Attacks on the Rise :
Cybercriminals exploit weak carrier protocols to hijack phone numbers, bypassing SMS-based 2FA. High-profile cases include Twitter CEO Jack Dorsey’s 2019 breach.
Regulatory and Industry Recommendation :
The National Institute of Standards and Technology (NIST) deprecated SMS for 2FA in 2016, urging adoption of more secure alternatives like app-based codes.
The Risks of SMS-Based Two-Factor Authentication :
Understanding the flaws in SMS 2FA highlights why Google is prioritizing change.
Ultimately, the goal for Google and other companies like it is to use passkeys and move away from passwords entirely, but
, and making the current, much more familiar process secure is still meaningful.
