Google is planning to move away from sending six-digit authentication codes through SMS messages as a two-factor authentication tool for Gmail, Forbes reports. Instead, over the next few months, QR codes will be rolled out as a replacement for SMS codes in an attempt to “reduce the impact of rampant, global SMS abuse,” Gmail spokesperson […]
Google is planning to move away from sending six-digit authentication codes through SMS messages as a two-factor authentication tool for Gmail, Forbes reports. Instead, over the next few months, QR codes will be rolled out as a replacement for SMS codes in an attempt to “reduce the impact of rampant, global SMS abuse,” Gmail spokesperson Ross Richendrfer told Forbes.
Google uses SMS codes to both verify that it’s dealing with the same person who created or owns a Gmail account, and as a deterrent to prevent criminals from creating “thousands of Gmail accounts in order to distribute spam and malware,” Richendrfer says.
But while SMS codes are better than using no two-factor authentication at all, the approach comes with its own security risks. Criminals can trick or force users into sharing a code that’s been sent over SMS messaging, and users may not have immediate access to the device receiving the codes. It’s also dependent on each carrier’s own security practices, and how diligent their support teams are at preventing fraudsters from getting access to someone else’s mobile number.
The move will also help Google avoid a more recent scam called traffic pumping or toll fraud. “It’s where fraudsters try to get online service providers to originate large numbers of SMS messages to numbers they control, thereby getting paid every time one of these messages is delivered,” Richendrfer and Google’s Kimberly Samra explained to Forbes.
Once the change has been implemented, instead of verifying phone numbers by sending a six-digit code, a QR code will be presented that users can scan using the camera app on their smartphones. It will eliminate the risk of users being tricked into sharing codes since they no longer exist, and it takes security risks introduced by phone carriers, including unwanted SIM swapping, out of the equation entirely.