Google has confirmed it will phase out the use of SMS text messages for multi-factor authentication (MFA) in favor of more secure technologies. The move follows a shift away from SMS-based MFA due to its inherent insecurities.
In 2016, the US government’s National Institute of Standards and Technology (NIST) advised retiring basic text messaging as a means of MFA due to its vulnerabilities. SIM swapping attacks and “traffic pumping” schemes have further eroded trust in SMS-based authentication.
Google will introduce QR code authentication, allowing users to scan a code with their camera app instead of receiving a one-time password via SMS. The change aims to enhance security and reduce the risk of malicious activity.
While Google won’t entirely eliminate SMS for identity confirmation, it will shift its focus to QR codes for login purposes. This move follows similar changes made by other major companies, including Amazon and Snowflake, which have added MFA to their services in recent years.
Google’s privacy spokesperson, Ross Richendrfer, stated that “SMS codes are a source of heightened risk for users” and expressed confidence in the new QR code-based approach. The company will continue to provide updates on this innovation in the near future.
Source: https://www.theregister.com/2025/02/25/google_sms_qr