Google is planning to stop using SMS-based two-factor authentication (2FA) for Gmail and replace it with QR codes to improve security. SMS codes, which were introduced in 2011, can be risky because hackers can trick users into sharing their codes or use SIM-swapping attacks. The new QR code system will be rolled out in the coming months, providing a safer way to verify users after entering their passwords.
Right now, Gmail sends a six-digit code via SMS that users must enter after typing in their password. With the new system, users will scan a QR code using their phone’s camera. A Gmail spokesperson, Ross Richendrfer, said, “SMS codes are a source of heightened risk for users. We’re pleased to introduce an innovative new approach to shrink the surface area for attackers and keep users safer from malicious activity.”
This change comes as Google works to combat issues like SIM-swapping and SMS fraud, where scammers use SMS to steal money. Google currently offers alternatives, like receiving the code via a phone call, but it’s unclear if this option will also be removed. The company also supports other authentication methods like push notifications and time-based one-time passwords (TOTP) through apps such as Google Authenticator.
