Google will replace the unsafe SMS codes for Gmail with QR code scanning verification.

      Since Google introduced two-step verification for Gmail and other linked authentication methods within its ecosystem, SMS codes have been a standard feature. However, security assessments have found that SMS codes are highly vulnerable, particularly when the communication channel lacks encryption. This is set to change, as SMS codes will soon be replaced by QR codes for Gmail authentication.

      When it comes to securing accounts, SMS is not the best option for receiving sensitive verification codes or one-time passwords (OTPs) on mobile devices. Consequently, Google has been developing password alternatives over recent years, including on-device Google prompts, authenticator apps, hardware security keys, and the Passkey system, to reduce risks such as SMS phishing.

      Now, Google intends to completely eliminate SMS-based verification for Gmail and Google account authentication. "We aim to move beyond passwords with solutions like passkeys, and similarly, we want to stop sending SMS messages for authentication," stated Gmail spokesperson Ross Richendrfer, as cited by Forbes.

      Why is SMS considered unsafe?

      Google introduced the device prompt system for account verification in 2016. While receiving codes via text message is convenient, the potential vulnerabilities are not solely due to the communication method and sophisticated phishing schemes. SIM swapping, social engineering, and impersonation attacks are well-documented tactics, and when these schemes occur, the legitimate user does not receive their SMS verification codes.

      As a result, they may find themselves locked out of their Gmail account and all associated services, including third-party services that require a Google account login. Additionally, if users lack access to cellular networks, obtaining login codes via SMS can become even more problematic.

      How can QR codes provide a solution?

      In the coming months, Google plans to replace the six-digit SMS codes with a QR code that users can scan using their phone's camera app. While the company has not released extensive technical information about these changes, it appears Google will likely establish a protocol necessitating a secure QR code handshake with a verified device that has the registered phone number.

      It's important to note that QR codes are not infallible; QR scams are relatively common. However, a QR scanning system that utilizes a local decode key or a secure public key shared exclusively between two trusted parties is significantly safer and faster.

      Recently, we reported on an innovation called self-authenticating dual-modulated QR (SDMQR) code, which has secured governmental funding and may soon replace barcodes in various business and industrial contexts. Developed by experts from the University of Rochester, the SDMQR code is based on a cryptographic signature system that can only be unlocked with a digital private key. These specialized QR codes will not require any special scanning applications and can be implemented on mobile devices worldwide at the OS level.