Google to replace SMS-based two-factor authentication with QR codes for Gmail.
Currently, Gmail users receive a six-digit authentication code via SMS after entering their passwords.
Google is preparing to phase out SMS-based two-factor authentication (2FA) for Gmail users, replacing it with QR code verification, according to a Forbes report. The move is aimed at enhancing security and reducing risks associated with phishing attacks and SIM-swapping fraud, which cybercriminals use to hijack users’ phone numbers and steal verification codes.
Currently, Gmail users receive a six-digit authentication code via SMS after entering their passwords. This system, introduced in 2011, has remained one of the most widely used security measures despite newer, more secure alternatives. However, Google is now set to roll out QR codes as a replacement, which users will need to scan with their smartphone cameras to verify their identity.
SMS-based 2FA, while better than having no additional security, has been increasingly vulnerable to cyberattacks. SIM swapping attacks, where scammers transfer a victim’s phone number to a new SIM card and intercept verification messages, have led to several high-profile breaches. Additionally, hackers often trick users into revealing their one-time SMS codes through phishing attacks, making SMS authentication a weaker layer of protection.
Google is not the first company to abandon SMS-based authentication. X (formerly Twitter) has also moved away from SMS verification due to concerns over SMS fraud, where attackers exploit telecom loopholes to profit from automated text message verifications.
While Google has not yet confirmed an official rollout date, the transition to QR-based authentication is expected to take place over the next few months. In addition to QR codes, Google already offers more secure login options, including:
? ? ??? ?Google Prompts: Users receive a pop-up notification on their registered device, allowing them to approve or deny a login attempt. ??
???? ?Authenticator Apps: Time-based one-time passwords (TOTP) generated by Google Authenticator or third-party apps like Authy. ??
??? ?Security Keys: Physical security keys such as YubiKey offer hardware-based authentication for maximum protection.
It is currently unclear whether Google will also discontinue phone call-based authentication, which some users opt for instead of SMS codes.
Linkedin Profile: