C. Scott Brown / Android Authority
TL;DR
- Google will soon phase out SMS-based two-factor authentication in favor of QR codes.
- The company will use various techniques, including attempting to verify the user’s number directly with their carrier using the user’s mobile device. In some cases, users will have to send an SMS to Google instead of Google sending an SMS code to them.
- Users will have fallback authentication mechanisms available, but they’ll still need a phone.
Google spokesperson Ross Richendrfer reiterated that SMS is mainly used as a security and anti-abuse check, but there are plenty of security challenges, like phishing and traffic pumping. Consequently, Google plans to reimagine how it verifies phone numbers over the next few months. Instead of entering their phone numbers and receiving a six-digit code over SMS, users will see a QR code they need to scan with their phone camera.
Google tells us that the user’s mobile device will attempt to verify their number directly with their carrier. The company will use various techniques for this, depending on the options supported by the carrier. In certain cases, this could result in an SMS message sent from the user’s phone to a Google number. This will be different from Google sending an SMS code to the user, which is easier to phish by social engineering.
But will fallback authentication methods be available if the user cannot access a mobile phone? Google answers no. Since access to a phone is needed to receive SMS messages even now, the requirement for having a mobile device won’t change.
What if the user is authenticating Gmail on a new mobile device? Google says that as long as the user is using the same mobile number on the new device, they will be able to authenticate. If not, they will have to fall back to other mechanisms.
We’ll have to wait for the QR code rollout to assess how these mechanisms help protect users from SMS-related security concerns. We’ll keep you updated when we learn more.