Google SMS Multi-Factor Authentication Swapped for QR Code Technology

• The SMS-delivered OTPs are to be phased out in Google authentication processes.
• Security vulnerabilities and inefficiencies of SMS MFA have been known for a while now.
• Google will still keep SMS authentication in some cases, such as new device login user verification.

Google has announced plans to phase out SMS-based multi-factor authentication (MFA) and replace it with QR code technology, citing security vulnerabilities and inefficiencies associated with texted one-time passwords (OTPs).

SMS-based MFA has long been criticized for its susceptibility to threats such as SIM swapping and SS7 protocol exploitation, allowing attackers to intercept OTPs and compromise accounts. 

Under the new system, users will scan a QR code displayed during the login process with their phone’s camera app to authenticate, eliminating the reliance on SMS passcodes. 

Google’s privacy spokesperson, Ross Richendrfer, confirmed the update, stating, “Instead of entering your number and receiving a 6-digit code, you’ll see a QR code being displayed, which you need to scan with the camera app on your phone.”

Google will retain SMS authentication in certain scenarios, such as verifying user identities when logging in from new devices, but the emphasis will shift toward adopting the QR code method or hardware security keys.

Since introducing SMS passcodes for Gmail authentication in 2011, the tech giant has progressively shifted its focus to more robust security measures. 

The 2016 advisory by the National Institute of Standards and Technology (NIST) encouraged the discontinuation of SMS MFA, and more recently, the Cybersecurity and Infrastructure Security Agency (CISA) reinforced this with a call to adopt safer alternatives. 

Other concerns, such as rising SMS fraud schemes like “traffic pumping,” further highlight the drawbacks of text message-based security.

Amazon recently added MFA features to its enterprise email services, and other major organizations continue to reinforce their security postures amidst increasing cyber threats.