The report said Google will abandon support for Gmail’s SMS-based two-factor authentication (2FA). The company will report that it will provide support for Quick Response (QR) codes to replace the SMS code currently sent to Gmail users. The move is expected to improve security for Google accounts, as malicious users can trick users into sharing login codes they receive via SMS, bypassing the security provided by the old 2FA system, but is still supported on multiple platforms.
Gmail removes SMS authentication code to combat SMS abuse
According to a Forbes report, Google will launch QR codes in the next few months to replace its SMS authentication code. The company currently sends a six-digit code to users via SMS, which must be entered after providing the correct password when logging into a Google account. This is the 2FA form introduced by the search giant in 2011, and in the following years introduced safer options.
Once the company supports SMS-based 2FA code, Gmail users will use QR codes to provide it and must use the camera app on their smartphone to scan. The company believes that after submitting the correct password, these QR codes will provide a safer way to verify users.
“SMS code is a source of increased user risk. We are pleased to introduce an innovative new approach to reduce the surface area of an attacker and keep users safe in malicious activity.
Supporting access to SMS-based 2FA presents several security challenges – scammers can trick users into sharing SMS code, or target specific users with a “SIMS exchange” attack to access their phone numbers. Like X (formerly Twitter), Google wants to combat SMS fraud, with scams prompting companies to send text to specific numbers to receive money when each message is delivered.
Google currently allows users to receive codes over the phone instead of SMS, and it is not clear whether this option will also retire. The company usually displays a login prompt on the user’s smartphone, and as the form of an MFA, the user can click a button to complete the login process. Google also supports time-based one-time passwords (TOTP) supported on applications like Password Manager or Google Authenticator.
