Google plans to stop using insecure SMS verification in Gmail

A username and password just won’t cut it anymore. Users around the world logging into Gmail have often relied on Google SMS pings to securely access their accounts, but that’s changing. Google now hopes to move beyond SMS, which has become so frequently abused that it negates any supposed security benefit. Instead of using SMS, the company will reportedly switch to using QR codes.

Currently, Google sends SMS codes for two reasons: to confirm that a new login is legitimate and to block spammers from opening Gmail accounts in bulk. You type in your credentials, and a moment later, Google texts a six-digit code for you to enter as well. It’s not a terribly arduous process, and it can help protect your account, but SMS is not very secure.

SMS messages are delivered by mobile carriers without encryption, and they often go through intermediaries that can be compromised without your knowledge. Even if the line is secure, phone numbers have very little in the way of security.

SIM swap attacks are depressingly common today, with carrier reps tricked or paid off to transfer a phone number to a fraudster’s device. At that point, the two-factor codes from Google go right to the attacker, allowing them to log in. This same attack has been used to access crypto wallets and make off with valuable digital currency. Gaining control of the target’s email is often a necessary step to unlock other accounts.

According to Forbes, Google plans to patch this vulnerability soon. The company will stop using SMS codes for verification, moving to a QR code that the user has to scan with their phone. 

“Just like we want to move past passwords with the use of things like passkeys, we want to move away from sending SMS messages for authentication,” Google spokesperson Ross Richendrfer told Forbes.

This dialog will soon be replaced with a QR code.

Moving to QR codes takes SMS out of the equation, which also means you don’t have to worry about your carrier’s security practices or lack thereof. Google also points out that QR-code scanning makes phishing scams harder. It’s relatively easy to trick someone into providing an SMS code. Scammers often do this by pretending to be associated with Google, but you can’t share what you don’t have.

Google has not offered much in the way of specifics here. Richendrfer says the change will roll out in “the next few months,” but it’s unclear if all markets will see this change simultaneously. If you already use two-factor on your account, for example with a code generator app or a security key, you’ll continue using that to verify your account. We’ve reached out to Google and will update with anything else we learn about this impending change.