Google has announced plans to phase out the use of SMS-based two-factor authentication (2FA) for Gmail and other Google services. Instead, the tech giant will transition to more secure methods such as passkeys and QR codes, which users can scan with their devices to verify their identities. This shift aims to combat the growing threat of scams, phishing attacks, and SMS-based fraud, marking a pivotal step in Google’s ongoing efforts to protect users from malicious activity.
The Problem with SMS-Based 2FA
For years, SMS-based 2FA has been a widely used method for securing online accounts. When logging in, users receive a six-digit code via text message, which they must enter to verify their identity. While this method adds an extra layer of security compared to relying solely on passwords, it has become increasingly vulnerable to exploitation by scammers and fraudsters.
Ross Richendrfer, Google’s head of security and privacy public relations, explained the risks associated with SMS-based 2FA in a statement to CNET. “SMS codes are a source for heightened risk for users,” he said. “We’re pleased to introduce an innovative new approach to shrink the surface area for attackers and keep users safer from malicious activity.”
One of the primary issues with SMS-based 2FA is its susceptibility to phishing attacks. Scammers often trick users into sharing their verification codes, granting them access to sensitive accounts. Additionally, SMS messages can be intercepted through techniques like SIM-swapping, where attackers hijack a victim’s phone number. Even phone carriers themselves can become points of breach, as some scammers exploit SMS messaging for “traffic pumping,” a scheme that allows them to profit from sending fraudulent texts.
A New Era of Authentication: Passkeys and QR Codes
To address these vulnerabilities, Google is rolling out a more secure authentication system that leverages passkeys and QR codes. Over the next few months, Gmail users will begin to see a shift away from SMS-based codes. Instead, they will be prompted to scan a QR code using their device, which will verify their identity without relying on text messages.
Passkeys, a newer authentication method, will also play a central role in this transition. Unlike traditional passwords or SMS codes, passkeys use cryptographic keys stored on a user’s device to authenticate logins. This approach eliminates the need for users to remember complex passwords or rely on potentially insecure SMS messages. Passkeys are already supported by Google Authenticator, the company’s dedicated 2FA app, and are gaining traction as a more secure alternative to traditional authentication methods.
Why This Move Matters
Google’s decision to move away from SMS-based 2FA is part of a broader industry trend. Companies like Evernote, Signal, X (formerly Twitter), Apple, and Microsoft have already begun transitioning users to more secure authentication methods. Experts agree that this shift is not only necessary but long overdue.
Amy Bunn, an online safety advocate at McAfee, emphasized the importance of this change in a statement to CNET. “Google moving away from SMS-based logins is a smart step for security – and while it may seem like an inconvenience at first, it’s a necessary step toward stronger protection,” she said. “Cybercrooks can hijack phone numbers through SIM-swapping, intercept security codes, and even lock people out of their accounts. That’s why more companies, including Google, are shifting to safer login methods like passkeys and authentication apps.”
Rob Allen, chief product officer at the cybersecurity firm ThreatLocker, echoed this sentiment. “SMS for two-factor authentication is probably the least-preferred 2FA process,” he said. “While it is definitely better to have than no 2FA, it is certainly the least secure. Using an authenticator app on a mobile phone is a much more secure way to utilize two-factor authentication. It’s good to see companies moving towards a more secure environment.”
What This Means for Gmail Users
For Gmail users, this transition will mean a more secure and streamlined login experience. Instead of waiting for an SMS code, users will be able to verify their identity by scanning a QR code or using a passkey. These methods not only reduce the risk of phishing and SMS-based scams but also eliminate the need to rely on phone carriers, which can be vulnerable to breaches.
Google has been signaling this shift since as early as 2017, and the company’s commitment to improving account security is evident in its ongoing efforts to innovate. In addition to passkeys and QR codes, Gmail already offers other 2FA methods, such as prompting users to verify logins through the Gmail app or using Google Authenticator.
A Necessary Step Toward a Safer Digital Future
As cyber threats continue to evolve, so too must the methods we use to protect our online accounts. Google’s decision to phase out SMS-based 2FA is a proactive step toward reducing the risks associated with outdated authentication methods. By embracing passkeys and QR codes, the company is not only enhancing security for its users but also setting a standard for the industry.
While the transition may require some adjustment, the benefits far outweigh the inconvenience. Users can look forward to a more secure and seamless login experience, free from the vulnerabilities of SMS-based 2FA. As more companies follow suit, the digital landscape will become safer for everyone.
In the words of Ross Richendrfer, “We want to move past passwords with the use of things like passkeys, and we want to move away from sending SMS messages for authentication.” This forward-thinking approach underscores Google’s commitment to protecting its users and staying ahead of cyber threats in an increasingly connected world.
Add Comment