Implementing two-factor authentication (2FA) is a crucial step in enhancing security, yet the effectiveness of this measure can vary significantly. When it comes to SMS-based 2FA, it is renowned for being the least secure option, yet many organizations still rely on it by default. Cybercriminals are well aware of this vulnerability, which is why they often target 2FA codes to execute fraud and gain unauthorized access to user accounts, including Google. Despite its shortcomings, utilizing SMS-based 2FA is still a better alternative to having no 2FA at all, making it acceptable if it is the sole option available.

Nevertheless, a significant shift is underway: Google is among the latest entities to move away from SMS codes in favor of more secure alternatives. According to a report by Forbes, the tech giant plans to replace SMS codes with QR codes. This transition is a positive development, even if it changes the user experience of logging into a Google Account.

The Inadequacy of SMS-Based 2FA

Accessing an SMS code is surprisingly straightforward. For instance, if a person’s smartphone is stolen, the thief can easily receive all subsequent SMS codes. However, physical access is not even necessary for hackers to intercept these codes—they can accomplish this from anywhere in the world.

Fraudsters can manipulate mobile carriers to take control of a victim’s SIM card. Once they do this, they disable the original SIM and transfer its services to their own device, thereby gaining access to all SMS codes sent to that number. For example, if a bank account utilizes SMS 2FA, the scammer can receive the authentication code on their device, allow themselves entry, and infiltrate the account. Some criminals are even engaging in a tactic called traffic pumping, where they deceive companies into sending numerous SMS messages to their own numbers, profiting from the resulting spam while the general public suffers an influx of unwanted messages. Google’s initiative to abandon SMS-based 2FA aims to curtail this kind of exploitation.

As an advisable alternative to SMS authentication, it is recommended to use a specialized authenticator app, or consider the passwordless Passkeys system that Google is advocating. Authenticator apps generate codes every 30 seconds through a secure service under your control, rather than one managed by mobile carriers. Additionally, authenticator apps generally necessitate biometric verification and can also be locked with a password, providing an extra layer of protection. For those looking for enhanced security, employing a physical security key can ensure maximum protection. Nonetheless, a well-configured authenticator app is typically sufficient.

If eliminating passwords entirely appeals to you, passkeys offer an even more robust level of security. Passkeys are unique cryptographic keys generated for each login, specifically intended for individual devices or password management applications. For example, any passkey created for Google on a Mac remains confined to that device. Even in the event that someone manages to access the key file, its encryption secures it from unauthorized use.

Google’s Transition to QR Codes as Default 2FA

While passkeys represent the future of authentication, until then, Google is adopting QR codes as the primary method of verification for users’ phone numbers.

During a login attempt on a new device, users will see a QR code that can be scanned with their smartphones for authentication. This shift to QR codes greatly minimizes the risk of phishing attacks since no code needs to be revealed. Moreover, because this scanning process occurs in person between two nearby devices, there is no involvement of carrier codes or online servers.

Although a specific timeline for this transition has not yet been established, Google has indicated that further updates will be shared soon. As the feature becomes available, more detailed instructions will follow.