(Image credit: Android Central)
Google is working to change the SMS code authentication used to sign into a Google account to have you scan a QR code. Besides the several severe flaws with this idea, it's still good that Google is trying to make proving who we are a little more streamlined and less nerdy. If it weren't such a pain to do it, more services would offer MFA (multi-factor authentication), and more of us would use it.
Google's not alone here. Microsoft, Apple, and organizations like the FIDO Alliance are working on the issue, too. These companies know that it's something that benefits everyone, and it needs to be done in a simple yet effective way.
Before discussing Google's new idea, you need to know what authentication is. I can tell you who I am and that is me providing my identity. That will never change and I will always be me even if I change my name. I'm still this person.
But sometimes I need to prove it and authenticate that I am who I say I am because it's super easy for me to lie. You don't want Joe Random to have access to your bank or other online account so proof is mandatory.
There are three types of authentication, and for a service to be secure it needs to use at least two. Using two methods lowers the chance that I'm someone else just trying to get into Jerry's account.
Knowledge: Something only the real Jerry would know, like a password or a PIN.
Ownership: Something only the real Jerry has, like an ID card or a software token on a phone.
Inherence: Something the real Jerry is or does, like supplying a fingerprint or a retina scan.
You'll always need to use a password or PIN for one type of authentication, but for something to be considered secure, you need to use one of the other two types. That's where things can get messy.
Google thinks it would be better and easier to show you a QR code you can scan to supply proof of ownership than send you an SMS message. It would definitely be more secure because SMS messages aren't difficult to spoof or "hack" into.
It also has two potential problems I can spot: it can require two devices and may only work seamlessly if you use an up-to-date Android phone. I'll give you a worst-case example:
I buy a new iPhone 16 Pro Max, and I want to sign into my Gmail account. I can't use an authenticator app because I need access to set one up or switch to a new one in my Google account, so I have to use the fallback method. Google then shows me a QR code. A QR code on the screen of the only device I have and the one I'm trying to use to sign into my account. Can you spot the problem here?
The secondary problem is, what if I do have a QR code scanner on my new iPhone and scan the code? What happens next? If I have an Android phone with the latest version of Google Services installed, the process can be whisked away and handled automatically. It could be done through something like Google Lens or even Circle to Search, so it works with one device.
Since I am trying to do this on my iPhone, I just have to use the fallback for the fallback and get an SMS. SMS authentication is insecure, but it's necessary. It makes sense to use this for Android phones and a Google account. Not so much for other devices.
This is the real problem with authentication. It's always going to require some extra steps, and those extra steps can be a pain in the you-know-what. Using your fingerprint scan — something that never changes and is your identity, not a means of authentication — was a big step towards making all this less messy. Unfortunately, you can't use the fingerprint until you have it set up and Gmail doesn't support using it to get into your account for the first time.
I don't know how you "fix" this, but I do know that really smart people are working on it. We've seen things progress from an on-device keychain that holds auth methods to fingerprint scans, to Passkeys, and now QR codes. Keeping SMS as a fallback option is smart, too, because every device with a phone number can get one.
Google still has yet to reveal all the details of how this will work, so we will likely hear more about it before it rolls out. In any case, we have reached out to Google for more information and will update this article when we hear back.
I think this will be fixed, even though I don't know how. Then, we will have to wait until every service we want to use adopts safe and simple authentication methods.
