Google is ditching SMS two-factor authentication in favor of QR codes. The new 2FA method will provide increased protection against phishing and other common threats, but it may be less convenient than SMS verification, depending on Google’s implementation.
Most major websites use two-factor authentication (2FA) to prevent hackers from hijacking compromised accounts. The idea is pretty simple: a hacker who steals your username and password will rarely, if ever, have direct access to your smartphone or email inbox. So, instead of relying on usernames and passwords as the sole form of login verification, websites will send one-time codes via SMS or email to ensure that login attempts are legit.
Two-factor authentication substantially increases account security. Unfortunately, it also makes the login process a lot slower. Websites like Google know that 2FA can be annoying, so they often opt for the most painless form of authentication—the humble one-time SMS verification code.
Related
Microsoft Wants to Replace Your Passwords With Passkeys, and They Might be Onto Something
You don’t have to say goodbye to your favorite password quite yet.
We often refer to SMS as the “bare minimum” 2FA method. It’s better than nothing, but it’s far from perfect. Let’s pretend that a hacker has stolen the username and password for grandma’s banking account. The hacker can overcome SMS verification by calling grandma, impersonating Google, and straight up asking her to give the code. While SMS authentication is better than nothing, it cannot prevent social manipulation. In some cases, it may even provide a veneer of authenticity for scammers—if a hacker triggers a 2FA SMS before calling grandma, they may use it as pretext to say, “We’ve detected that your account is under attack, give us that code so we can fix it.”
SMS authentication became a default login requirement for all Google accounts in 2021. Now, with four years of experience under its belt, Google tells Forbes that it wants to implement a more robust 2FA system. The company points to phishing, as well as carrier-side security flaws, as the reason for this change.
The chosen replacement for SMS authentication—QR codes—should increase account security for all Google users. Hackers may struggle to convince grandma that she should scan a random QR code, and because this QR code system does not rely on SMS, it can’t be compromised by carriers’ notoriously crappy security practices.
“Over the next few months, we will be reimagining how we verify phone numbers. Specifically, instead of entering your number and receiving a 6-digit code, you’ll see a QR code being displayed, which you need to scan with the camera app on your phone.”
As for how Google will implement its new 2FA method, the company says that “you’ll see a QR code being displayed [when you try to log in to your Google account], which you need to scan with the camera app on your phone.” It sounds pretty straightforward, but I’m left wondering about the finer details. Like, this system assumes that you’re already logged into Google on your phone—what if you aren’t? How will Google handle 2FA for mobile phone logins?
Also, QR codes are not impervious to phishing. I assume that these QR codes are just web links. They probably take you to a web page that says, like, “Such and such device is trying to log into your account, do you want to give it access?” It’s better than a six-digit SMS code, but you could totally convince grandma to click the big blue “Confirm” button if you really tried. (To be clear, I’m making an assumption about how Google’s QR verification will work. I may be dead wrong.)
Related
What is Quishing? How To Protect Yourself From QR Code Phishing
The next QR code you scan could steal from you.
We’re in desperate need of a more secure, sophisticated, and convenient 2FA methodology. Hardware security keys are excellent, but they don’t have mass appeal and can be very unforgiving. Passkeys eliminate the need for two-factor authentication in some scenarios, but they do not make 2FA obsolete, and many websites that utilize passkeys still require 2FA.
Anyways, you know those weird restaurants that use QR codes instead of menus? Logging into your Google account is gonna feel a little bit like that. I’m not particularly excited by the prospect of pulling out my phone and pointing it at a screen as I rush to get into a Google Meet call, and I’m generally not a fan of QR codes in the first place, but I agree with Google’s decision to adopt a more resilient 2FA method.
Source: Google via Forbes
