Google binning SMS MFA at last and replacing it with QR codes
Everyone knew texted OTPs were a dud back in 2016
Google has confirmed it will phase out the use of SMS text messages for multi-factor authentication in favor of more secure technologies.
The search-and-ads giant introduced SMS distribution of one-time passcodes for authentication for Gmail in February 2011, and in 2018 fewer than 10 percent of users employed it. Google later required multi-factor authentication for most services in 2021.
But SMS fell out of favor due to inherent insecurities: Very-well-placed miscreants and nation states could use SS7 to redirect passcode texts, allowing accounts to be taken over; and not-so-well-placed scumbags could use SIM swapping to take over a victim's cellphone number to steal their one-time texted codes.
In 2016, the US govt's NIST advised basic text messaging should be retired as a means of multi-factor authentication.
That was sensible advice as if a thief has actually stolen a phone, it's essentially game over - passwords can be reset on Google accounts since (depending on the owner's settings) an SMS token can be viewed on the device's home screen without the need for unlocking the handset.
Secondly, the continued rise of SIM swapping has rendered SMS authentication somewhat moot. As we've seen time and time again, if a skilled social engineer can convince a telco to accept that their customer has a new SIM card then all bets are off on the security front - in 2024 CISA officially [PDF] advised people to move away from SMS authentication in favor of safer systems.
There's also the fraud angle. Google has noted a rising trend in "traffic pumping" schemes in which fiends cause websites to send SMS messages with unneeded one-time-passwords. Elon Musk claimed that when he took over Twitter such scams cost the microblogging service $60 million a year in SMS traffic fees.
Those problems mean Google is done with texting one-time passwords.
"Over the next few months we will be reimagining how we verify phone numbers," Google's privacy spokesperson Ross Richendrfer told The Register. "Specifically, instead of entering your number and receiving a 6-digit code, you’ll see a QR code being displayed which you need to scan with the camera app on your phone."
- Don't have MFA on a Google Cloud account? You'll have to from Jan
- Mandiant's brute-forced X account exposes perils of skimping on 2FA
- Amazon adds MFA to its enterprise email service ... eight years after launch
- Snowflake customers not using MFA are not unique – over 165 of them have been compromised
The Chocolate Factory isn't getting rid of SMS entirely, since it will sometimes still require incoming texts as confirmation of identity. But for users logging in, it's going to be a case of scanning QR codes - for those who haven't deployed security keys, tokens, and the like.
"SMS codes are a source for heightened risk for users – we’re pleased to introduce an innovative new approach to shrink the surface area for attackers and keep users safer from malicious activity," Richendrfer said. "Look for more from us on this in the near future." ®