Google is dropping SMS authentication for QR codes
Google has called time on SMS verification method as hackers continue to manipulate the process to compromise accounts
Google appears finally ready to deprecate using SMS codes for multi-factor authentication (MFA) in Gmail, according to insiders at the search giant.
On 23 February, Forbes reported internal sources at Google had revealed the firm made the decision to do away with SMS codes for authentication, with QR codes set to replace them.
A Google spokesperson said that much like its effort to replace passwords with passkeys, it's looking to move away from SMS authentication in light of a global torrent of cyber attacks abusing SMS-based MFA processes.
The primary weakness of SMS code authentication is that attackers trigger the MFA process to intercept the one time passcode (OTP) and use this to compromise accounts.
This can be achieved by tricking victims into revealing their OTPs via social engineering scams, or by taking control of the victim’s phone number via a SIM swapping attack.
The spokesperson said SMS verification also plays a role in ensuring cyber criminals cannot abuse its services for malicious purposes, but has been exploited in some scams like SIM swapping and traffic pumping.
Rishi Bhargava, co-founder of Descope, said Google’s decision to finally do away with SMS code authentication as a pivotal moment in the security industry, but considering the process's weaknesses he labelled the move long overdue.
“Google's decision to abandon SMS authentication is a watershed moment in security, but it's unsurprising, given that SMS has been the weakest link in MFA for years,” he noted.
Bhargava highlighted that Google also cited traffic pumping, which involves criminals tricking service providers into sending OTPs to premium lines they control thus generating profit each time an SMS verification was generated.
“While SMS codes are better than no authentication, they are vulnerable to phishing, SIM swapping, and real-time interception attacks that bypass traditional MFA. What's particularly telling is Google citing 'traffic pumping' scams as a key driver - where fraudsters exploit SMS infrastructure for financial gain.”
Google’s QR code switch set for the ‘near future’, but fears remain
Moving forward, when verifying phone numbers Google will be transitioning to using a QR code that the user can scan using their mobile device.
Firstly, this will significantly reduce an attacker’s ability to trick users into sharing their verification codes as it's far more difficult to share a QR code than a simple six digit number.
The new verification system will also remove the network providers who can be manipulated in SIM swapping and traffic pumping.
QR codes are not without their own weaknesses when it comes to cybersecurity. QR code phishing, or ‘qishing’, is an increasingly prevalent attack vector employed by threat actors.
RELATED WHITEPAPER
After Google transitions to QR code verification, cyber attackers may take advantage of the increased usage of the tool and tailor their phishing attack chains to mirror this process.
In one campaign observed by Trend Micro, threat actors were found distributing a malicious QR code disguised as a two-factor authentication method for ‘documents’ being sent to victims.
A senior researcher at Trend Micro told ITPro that QR code-based attacks pose a considerable threat as phones often lack many of the security protections that PCs are equipped with and are an easier target to compromise for attackers.
Google has not given a specific timeframe in which the transition will be made for Google account holders, but added that users should look out for updates from the firm in the ‘near future’.
MORE FROM ITPRO
- INSERT CONTENT
-
Will AI hiring entrench gender bias?ITPro Podcast Leaders need to proactive as attackers launch more consistent, sophisticated attacks
-
Met Office hails huge efficiency gains in first year of cloud supercomputing with Microsoft AzureNews In moving to the cloud, the Met Office has bolstered operational resilience and helped to deliver more accurate forecasts
-
Interpol teams up with tech firms to seize 45,000 malicious IPs, servers in global cyber crime crackdownNews Operation Synergia III saw 94 arrests - and counting - with malicious IP addresses used in phishing and fraud schemes seized
-
Is your new hire an AI clone? Microsoft says North Korean hackers are using AI to impersonate job seekers and steal company secretsNews The groups are increasingly using face-changing or voice-changing software to make their fake identities more plausible
-
LastPass issues alert as customers face second major phishing campaign of 2026News The campaign is the third to hit LastPass users in six months
-
A single compromised account gave hackers access to 1.2 million French banking recordsNews Ficoba has warned that “numerous” scams are already in circulation following the data breach
-
Starkiller: Cyber experts issue warning over new phishing kit that proxies real login pagesNews The Starkiller package offers monthly framework updates and documentation, meaning no technical ability is needed
-
Security experts warn Substack users to brace for phishing attacks after breachNews Substack CEO Christ Best confirmed the incident occurred in October 2025
-
Google issues warning over ShinyHunters-branded vishing campaignsNews Related groups are stealing data through voice phishing and fake credential harvesting websites
-
Hackers are using LLMs to generate malicious JavaScript in real time – and they’re going after web browsersNews Defenders advised to use runtime behavioral analysis to detect and block malicious activity at the point of execution, directly within the browser
