Gmail: Google plans to end SMS verification in favor of QR codes
For some time now, Google has been asking for a mobile phone number and verification when new customers create Gmail accounts. SMS verification is also used as part of the login process, to verify that a returning customer is indeed that customer.
Google did introduce an option to enable 2-step verification for accounts without phone number in 2024 already.
A report by Forbes suggest that this is going to change in the coming months. Google plans to end SMS verification in favor of another system.
Google told Forbes that it wants to move away from using SMS messages for authentication. Other services, including X, formerly Twitter, have abandoned SMS in the past as well.
Currently, Google uses SMS verification in two situations:
- When accounts get created, in order to limit the mass-creation of accounts by malware gangs and malicious groups.
- To verify the identity of a returning user.
While SMS verification is better than no verification at all, the system has its fair share of significant issues. For one, SMS are sent out in clear text, which means they can be easily read when intercepted. Phishing is another problem that has been on the rise and there is the underlying issue of being tied to a phone number. Fraudulent groups have managed to obtain access to user phone numbers in the past through social engineering attacks that targeted the user's Internet Service Provider.
Google noted a rise in SMS related criminal activities. One of them, which Google calls traffic pumping, attempts to get online services to send SMS messages to numbers that they control in order to get paid.
From SMS to QR Codes
Google plans to switch off SMS verification in favor of a new system that relies on QR codes. So, instead of being asked to verify access by entering a six digit code sent to a mobile phone number, users are asked to scan the QR code using the mobile phone's camera.
Google believes that this new system is beneficial to itself and its users. Primarily, because it is removing phishing from the equation. Since there is no number that is sent to a mobile phone number anymore, there is nothing that can be phished in that regard.
Closing Words
In its talk with Forbes, Google did not reveal when it plans to introduce the change, only that it plans to reimagine how it verifies phone numbers "over the next few months". The changes may roll out in the first half of 2025 at the earliest.
What is your take on the changes? Do you use SMS for verification currently, or do you prefer other means? Feel free to leave a comment down below.
My phone and my computer do not know each other. I like it that way.
And all my emailing – except for a very rare occasion – is done on the computer.
Two step verification is bullshit. If someone steals your phone while open then you are fuc***, it has access to “double verify” nearly anything, beginning for the mail, then bank account and then your life. Just never use double verification in your main phone, or use just another one kept in a safe box. Best verification is a double password.
not a good developement. be it passkey or this, companies (and governments) want that youre 100% identifyable on the net on every occasion so they make you dependent on that device. In better days you could sign up for an email acc just with working adress data. now they want your phone numbers. i get theres many abuse, but the real bad guys always circumvent it, only the average jow will be the one suffering.
our smartphones turned into wiretaps/monitoring devices of all our internet actions. big brother 4tw.
QR codes are a security nightmare.
Why would anyone click on an unknown hyperlink?
This is already being exploited.
Better than giving your phone number to Google and *much* better than getting locked out because you lost your phone, or your number got recycled, or someone has used your number in the past.
> While SMS verification is better than no verification at all
It’s worse than no verification because instead of making the careless suffer, you’re making everyone suffer.
You do realize you must give them a phone number to send the QR code to?
Google doesn’t care a about anything but the sweet sound of cash registers that they control of take a skim from.
If you have only one device, they don’t care that this won’t work – you’re just a non-profit waste of bandwidth and storage.
I can understand the idea from a security point of view, but I think it will run into problems when trying to authenticate whether the user is the person making the request if the phone is on a different network than the PC.
I had this very same problem when trying to return a defective product to Amazon. The return was authorised, but I had to confirm it via a QR code. No problem scanning that, but then Amazon wanted me to login to their site on the phone as well as being logged in on the PC. That’s where the problem cropped up because I use a very long password on my PC to login to Amazon with which is as easy as pie because it’s a simple a copy/paste operation, but I don’t have Keepass on my phone and there was no way I was going to type all those alpha-numeric characters coupled with characters such as @, +, & etc., on such a small screen. To cut a long story short on that score Amazon told me I didn’t have to return the defective item and replaced it with a new one free of charge.
But I can imagine a similar problem cropping up on Google if there are users like me using two different networks which they will no doubt detect and assume the worst.
This makes no sense. I would need two devices to accomplish this. Maybe I am not understanding this. This is similar to a local mobile provider offering a free trial of their wireless, sending a code via text, however, the reason I was trying to get the free trial was that I had no service ( or very limited) to begin with in that location and couldn’t receive texts!!!!
@Dan is right, “the reason I was trying to get the free trial was that I had no service ( or very limited) to begin with in that location and couldn’t receive texts!!!!”, this is just the point! Nice!
Dan, Google supports other authentication options besides SMS / QR Code. My guess is that they show the QR code on desktop primarily while the main focus is on the official apps on mobile. These may use different authentication means altogether.
And how do they expect to scan a QR code that is displayed on phone’s screen?
especially for those of us who have dumb phones. ~9% of us in USA alone. I can’t “scan” anything or click on any links. It does cause some hassle but it’s worth it to have my devices sandboxed and my life simpler. And even when i’ve had smartphones, i would no more willingly scan a QR code than I would step into a garbage bin in my bare feet.
QR is the worst thing ever done to security.
“Users are asked to scan the QR code using the mobile phone’s camera.”
When there is only one phone, will a mirror work?
Time to think that one throug huh?
Who even bothers with google products.
It’s ones’ own making.
Moving away from SMS because?
For years “sim swapping”, number reassignment etc attacks have been increasing a lot.
and ‘Salt Typhoon’. The major intrusion into US mandated backdooring/taps of the telecom networks, means large scale interception is possible and likely even for “high end” individuals… so people with money and connections are demanding action.
Moving to QR because?
Better chance to match your smartphone with your email (it’s techical, but trust me on that. Also telecoms collusion.).
That is not so much possible when it’s just a old sms-capable device. QR is more of a ‘click on this verification link in a browser’ (really, it is not some flawless magic security, it is just text written in a obscure way.). Except it will be done on your phone and thus provide a lot of juicy bits for crosslinking them.
Generally speaking your smartphone is currently the de-facto unique indentifier of choice. Close enough to personally unique that it is practical for many purposes, like browser fingerprinting but with even more DII and PII.
SMS is useless if someone has access to your phone, it’s better two password method.
I get that being asked to point the phone at the QR code gives a slight security advantage, but what’s wrong with user choice. “Would you prefer verification via QR code (recommended), SMS, deal with a stupid robot via phone call …”