What you need to know
- Google confirmed today (Feb 24) that it will soon fade out its SMS code sign-in method for Gmail in favor of QR codes.
- The company says QR codes will offer a little more robust security as SMS codes are more prone to "phishing."
- Google reiterated the same sentiment during its first introduction of passkeys for personal accounts.
Today (Feb 24), Google states it is moving to remove SMS security codes for Gmail in replace of something a little stronger.
A statement via a Gmail spokesperson to Forbes reads, "...we want to move away from sending SMS messages for authentication." As a result, Google is now interested in displaying a QR code for users attempting to securely sign in to their Gmail accounts. Spokesperson Ross Richendrfer informed the publication that this will begin "over the next few months."
QR code sign-in will be a part of Google's new vision for "verifying phone numbers." While users will need to scan the code with their phone's camera, the company states this new security method will assist users in two ways.
First, Google says a QR code will help reduce the risk of phishing as users won't be "tricked into sharing their security codes with a threat actor." The company adds QR codes will also reduce the "reliance" users have on their "phone carrier for anti-abuse protections."
This second point was highlighted by Richendrfer and Google's Kimberly Samra, who state SMS with a security code isn't all that safe. They add that, with SMS codes, users run the risk of a malicious person gaining a hold of their phone number. If that's done, all "security value of SMS goes away." Google says SMS codes are at the "heart" of many criminal operations around the world, forcing this issue (in its eyes) even more.
Aside from "over the next few months," Google didn't tell Forbes when users can see this change rollout. However, there will likely be more obvious statements/announcements from Google when it happens. The company teased more will happen "in the near future."
Google's been kicking its security strength up a notch ever since it made passkeys the default option for personal accounts. The company touted passkeys were 40% faster than passwords and were developed by the FIDO Alliance. More importantly, passkeys rely solely on your device's various authentication methods like fingerprint, face ID, or PIN. Like what it's trying to do with the SMS, QR code swap, Google says passkeys can't be phished or stolen.
In short, your credentials won't be stolen over an internet connection.
Google rolled out a few more enhanced security features for users a few months before passkeys, involving a Dark Web report. The feature arrived for Gmail and let users lean on it to see if their email addresses had been leaked/exposed on the dark web.
