Google Is Moving Away From SMS Code Verification, and That’s a Good Thing.
Two-factor authentication (2FA) is a fantastic security measure, but not all 2FA are created equal. SMS-based 2FA is by far the least secure authentication option , and yet, too many companies use this method as the default. Hackers know this, which is why they use users’ 2FA codes to scam people and steal access to Google accounts. With that said, any 2FA is better than no 2FA, so it’s worth tolerating SMS-based authentication if that’s the only 2FA option offered.
However, now the situation is changing: Google is the latest company that wants to switch from SMS codes to an alternative method. According to Forbes , the company plans to switch from SMS codes to QR codes. This is good, even if it changes the way you sign in to your Google account.
SMS 2FA is not secure enough
Receiving an SMS code is surprisingly easy. For example, if someone steals your smartphone, they will be able to access all the SMS codes they receive. But scammers don’t need physical access to intercept your SMS codes. In fact, they can do this from another part of the world.
Scammers can trick carriers into taking over your phone’s SIM card. From here they can disable your SIM card and transfer all services to theirs so they can have remote access to all SMS codes sent to your number. For example, if your bank account is protected with SMS-based 2FA, they will receive the code on their device, authenticate and hack your account. Some scammers even resort to a practice known as “traffic pumping,” where they trick organizations into sending large numbers of SMS messages to numbers owned by the scammers. They profit from these messages while the rest of us deal with a torrent of spam. By moving away from SMS-based 2FA, Google hopes to curb this scam.
Instead of relying on SMS-based authentication, I recommended using a dedicated authentication app or a passwordless password system, which Google itself is quite actively promoting. When you use an authentication app, a code is generated every 30 seconds on a secure service that is controlled by you, not the carriers. Authentication apps themselves require biometric authentication and can be password protected, adding an extra layer of security. You can use a physical key for maximum authentication security, but a properly configured authentication app will be quite secure.
If you’re willing to give up passwords entirely, your access keys will become even more secure. Access keys are cryptographically generated keys for each login and are unique to the device or password application. The passkey you create for Google on your Mac never leaves your device. Even if someone gets hold of the key file, it cannot be hacked because it is encrypted.
Google changes 2FA by default to QR codes
Passwords are the future, but in the meantime, Google is moving to QR codes as the default method for verifying phone numbers.
When users log in to a new device, they will be prompted to enter a QR code, which they can scan with their smartphone to authenticate. Using a QR code for verification prevents phishing attacks as there is no code to exchange. And because QR code scanning occurs in person between two devices nearby, no carrier codes or online servers are used.
There’s no timeline for this yet, as all Google has said is to “expect more from us on this in the near future.” As this feature becomes available, I will detail these steps here.