SMS authentication is one of the earliest forms of two-factor authentication (2FA), but it’s been proven to be vulnerable to various attacks that renders it largely ineffective in ensuring account security. Per Forbes, Google is planning to phase out SMS-based 2FA in Gmail, and the replacement will come in the form of QR codes.
QR Code 2FA Coming To Gmail
According to Gmail spokesperson Ross Richendrfer, the decision to introduce QR-based 2FA is to “reduce the impact of rampant, global SMS abuse.” The abuse in question includes exploits like SS7 attack or SIM swapping, which can redirect OTP (one-time password) codes to the attacker to access the compromised account. Hence, most online service these days has moved to more secure methods, including authenticator apps, hardware passkeys, or QR codes.
Under the new system, users will be asked to scan the QR code through their smartphone – this should be pretty familiar to most of you if you ever used things like WhatsApp’s desktop or web client. The benefits are obvious: attackers won’t easily have access to the QR code compared to a simple 6-digit code (unless the image is explicitly shared or at least stolen using a much more sophisticated malware on the victim’s device), and it also moves the responsibilities away from telecommunication carriers for anti-abuse functions.
Google hasn’t given a concrete timeline on when the phase-out will happen in Gmail, aside from mentioning “over the next few months”. Still, it’s safe to say that the sooner this happens, the better. If you’re reading this, here’s a reminder to double-check your account security and make sure to disable SMS 2FA if you can, or minimize it otherwise.
Pokdepinion: About time we move away from SMS 2FA, it hasn’t been safe to use for a good while.
