Google has announced plans to phase out SMS-based verification codes for identity authentication when signing into Gmail. The company stated that traditional two-factor authentication (2FA) via SMS is vulnerable to phishing attacks, telecom operator breaches, and fraudulent schemes. Instead, Google will implement a more secure method using QR codes.
According to Gmail spokesperson Ross Richendfer, the company is committed to modernizing authentication mechanisms, transitioning toward passkeys and other advanced security solutions, while gradually abandoning outdated methods. The primary objective, he emphasized, is to mitigate the security risks associated with SMS abuse.
Currently, Google employs SMS verification codes for two key purposes: identity authentication and abuse prevention. The former ensures that an account remains under the control of its rightful owner, while the latter is designed to thwart mass registration of fake accounts used for spam and malicious campaigns.
However, SMS-based authentication has long been a prime target for cybercriminals. Attackers can intercept these codes, exploit social engineering techniques to hijack a victim’s phone number, or engage in fraudulent schemes such as “traffic pumping”, where malicious actors manipulate conditions to generate a high volume of SMS messages to numbers they control, profiting from carrier payouts.
Google asserts that replacing SMS codes with QR codes will significantly reduce phishing risks, as users will no longer receive six-digit codes that could inadvertently be shared with attackers. Additionally, this transition will lessen dependence on mobile carriers, making the authentication process more resilient and secure.
Richendfer noted that in the coming months, Gmail users will start noticing these changes. Instead of entering a phone number and receiving an SMS code, users will be presented with a QR code on their screen, which they will need to scan using their smartphone camera.
This shift aligns with the broader technological industry trend of eliminating unreliable authentication methods. Increasingly, biometric authentication, cryptographic security keys, and other cutting-edge solutions are being adopted in place of passwords and SMS-based verification.
While Google has not yet disclosed a precise rollout timeline, the company confirmed that it is actively working on the transition. Gmail users can expect an official announcement in the near future.
