Google is shifting away from using SMS-based two-factor authentication (2FA) codes for Gmail and replacing them with QR codes. According to a report by Forbes, this move is aimed at improving security by reducing vulnerabilities associated with SMS authentication, such as SIM swapping attacks, phishing, and SMS interception by hackers.
The Mountain View-headquartered company will reportedly implement this change over the next few months, so users should expect a shift in how they verify logins. Notably, this move aligns with Google’s push towards passwordless authentication, encouraging users to use Google Authenticator, security keys, or passkeys instead of SMS codes.
The tech titan believes that SMS-based authentication is vulnerable to attacks like SIM hijacking, where cybercriminals take control of a user’s phone number. And QR codes comparatively provide a more secure way to verify identity.
Going forward, instead of receiving a six-digit code via SMS, users will scan a QR code with their phone to authenticate their login. For users, this means they should update their security settings and switch to more secure authentication options as soon as possible.
In fact, beyond security concerns, SMS verification codes are being exploited in large-scale fraud operations. A relatively new scam, known as traffic pumping (or toll fraud), involves fraudsters generating massive amounts of SMS verification requests to numbers they control. Since online service providers like Google pay for these messages, scammers make money every time a code is sent. This artificial inflation of SMS traffic results in unnecessary financial losses for companies while fueling criminal activities.
With the rise of cyberattacks, data breaches, and the vulnerabilities of password-based security, the need for strong and secure authentication methods has become increasingly important. Speaking of numbers, scam calls and fake text messages nearly doubled in just one year. Last year in 2024, there were over 38 million scam calls, up from 20.8 million in 2023. Similarly, fraudulent text messages jumped to around 130 million in 2024, compared to 58.3 million in 2023.
Gmail has had security issues in the past. In 2014, a major data breach exposed nearly 5 million email addresses and passwords online. Some Google Chrome extensions were also hacked. Last year, the tech giant introduced a new suite of security features for Android users, including “Private Spaces” and “Theft Detection Lock.
