Google is dropping SMS authentication for QR codes

Google appears finally ready to deprecate using SMS codes for multi-factor authentication (MFA) in Gmail, according to insiders at the search giant.

On 23 February, Forbes reported internal sources at Google had revealed the firm made the decision to do away with SMS codes for authentication, with QR codes set to replace them.

A Google spokesperson said that much like its effort to replace passwords with passkeys, it's looking to move away from SMS authentication in light of a global torrent of cyber attacks abusing SMS-based MFA processes.

The primary weakness of SMS code authentication is that attackers trigger the MFA process to intercept the one time passcode (OTP) and use this to compromise accounts.

This can be achieved by tricking victims into revealing their OTPs via social engineering scams, or by taking control of the victim’s phone number via a SIM swapping attack.

The spokesperson said SMS verification also plays a role in ensuring cyber criminals cannot abuse its services for malicious purposes, but has been exploited in some scams like SIM swapping and traffic pumping.

Rishi Bhargava, co-founder of Descope, said Google’s decision to finally do away with SMS code authentication as a pivotal moment in the security industry, but considering the process's weaknesses he labelled the move long overdue.

“Google's decision to abandon SMS authentication is a watershed moment in security, but it's unsurprising, given that SMS has been the weakest link in MFA for years,” he noted.

Bhargava highlighted that Google also cited traffic pumping, which involves criminals tricking service providers into sending OTPs to premium lines they control thus generating profit each time an SMS verification was generated.

“While SMS codes are better than no authentication, they are vulnerable to phishing, SIM swapping, and real-time interception attacks that bypass traditional MFA. What's particularly telling is Google citing 'traffic pumping' scams as a key driver - where fraudsters exploit SMS infrastructure for financial gain.”

Google’s QR code switch set for the ‘near future’, but fears remain

Moving forward, when verifying phone numbers Google will be transitioning to using a QR code that the user can scan using their mobile device.

Firstly, this will significantly reduce an attacker’s ability to trick users into sharing their verification codes as it's far more difficult to share a QR code than a simple six digit number.

The new verification system will also remove the network providers who can be manipulated in SIM swapping and traffic pumping.

QR codes are not without their own weaknesses when it comes to cybersecurity. QR code phishing, or ‘qishing’, is an increasingly prevalent attack vector employed by threat actors.

After Google transitions to QR code verification, cyber attackers may take advantage of the increased usage of the tool and tailor their phishing attack chains to mirror this process.

In one campaign observed by Trend Micro, threat actors were found distributing a malicious QR code disguised as a two-factor authentication method for ‘documents’ being sent to victims.

A senior researcher at Trend Micro told ITPro that QR code-based attacks pose a considerable threat as phones often lack many of the security protections that PCs are equipped with and are an easier target to compromise for attackers.

Google has not given a specific timeframe in which the transition will be made for Google account holders, but added that users should look out for updates from the firm in the ‘near future’.

MORE FROM ITPRO

• INSERT CONTENT