Google is poised to eliminate SMS two-factor authentication for millions of Gmail users, replacing the familiar one-time code sent via text message with QR codes. The security shake-up is designed to tackle widespread abuse of SMS to enhance protection for Gmail, which is the most widely-used email service on the planet.
For those who don’t know, two-factor authentication adds an additional check when logging in — so that criminals would need more than just your email address and password to gain access.
As it stands, Google will send this one-off code to your mobile number to verify your identity.
But that’s about to change. Under new rules, Gmail users will need to scan a QR code on-screen using their smartphone, instead of entering a code sent via text message. Gmail spokesperson Ross Richendrfer revealed the change is designed to “reduce the impact of rampant, global SMS abuse.”
Speaking about the shake-up to Forbes, Richendrfer said: “Just like we want to move past passwords with the use of things like passkeys, we want to move away from sending SMS messages for authentication.”
Google confirmed the shake-up to its two-factor security check in the wake of a warning to all 1.8 billion Gmail users about a spate of new Artificial Intelligence (AI) scams.
Google wants to move away from SMS — due to its vulnerabilities — to adopt a more secure system to shield millions of Gmail users from scams
GOOGLE PRESS OFFICE
The new system is still reliant on a smartphone to check your identity, but moves away from the lax security of SMS messages, which don’t use any form of encryption, unlike tools like WhatsApp and iMessage.
That means criminals are able to intercept text messages by convincing your mobile network to transfer your number to a new phone. This enables a dangerous scheme, known as “traffic pumping” or “artificial traffic inflation”, that allows fraudsters to profit from verification messages.
In this scam, criminals trick services into sending one-time passwords (OTPs) to premium-rate numbers controlled by scammers. Bots trigger repeated verification requests, forcing businesses to pay high SMS fees. Fraudulent telecom providers receive these fees and share profits with criminals, generating revenue through artificially inflated message traffic.
The solution? Google wants two-factor authentication on Gmail to rely on QR codes instead. Rather than waiting for a SMS to be delivered with a one-off code, you’ll need to scan the freshly-generated QR code on-screen. This removes the reliance on carrier security practices, while maintaining the same convenience.
However, this new solution appears to be a stop-gap for Google. The Californian firm wants to completely overhaul traditional authentication methods and remove passwords from the process.
Passkeys unlock your online accounts without the need to type a password.
Instead, a supported device or app will check your identity using biometrics, like facial or fingerprint recognition, and then vouch for you to the website or mobile app that you’re trying to access. And that’s it.
If you pay using Apple Pay or Google Pay, check your bank balance on a mobile app, or unlock your PC using Windows Hello — you’re already used to the convenience of biometrics. Passkeys bring that same simplicity and security to every login. No more forgotten passwords scribbled on Sticky Notes or tapping the “Forgotten Password?” prompt to desperately attempt to reset your login for the umpteenth time.
Passkeys were developed by the FIDO Alliance, an industry body with the stated aim of helping to “reduce the world’s over-reliance on passwords” with the likes of Apple, Google and Microsoft amongst its members.
First promoted as an alternative to passwords back in mid-2022, the clever system relies on the same biometrics that allow you login to your iPhone, iPad, Windows PCs, Samsung phones and tablets, Android phones, and dozens more, without typing out a password or PIN.
Instead of entering your number and receiving a text with a code to enter, Google will display a QR code that you can scan with your phone
GETTY IMAGES
LATEST DEVELOPMENTS
- Sky is working on a brand-new way to watch TV
- Best VPN deals
- Update your AirPods! Life-changing free upgrade available in the UK today
- BT will PAY YOU up to £100 if you ditch your current broadband deal
Using the facial or fingerprint recognition built into your device, the operating system will then vouch for you to the app or website that you’re trying to access — completely bypassing the need for a password.
Google has long been a proponent for passkeys, which it has heralded as “a major step toward a ‘passwordless future’.” For the last two years, Google Account owners can opt to use passkeys instead of SMS verification.