Google revealed to Forbes this week that it’s moving away from six-digit codes to QR codes, when verifying new email account holders.
The transition by the popular email provider targets phishers preying on cell carriers, and text messages sent via short message service (SMS) technology.
“If a fraudster can easily trick a carrier into getting hold of someone’s phone number…any security value of SMS goes away,” Google Workspace spokesperson Ross Richendrfer told Forbes in February.
QR correct, sir! Richendrfer told the publication that the company will take the next few months to “reimagine” phone number verification and consider QR codes, displayed on the non-mobile device, as authentication mechanisms.
Currently, when a new Gmail account is created, Google verifies a person’s phone number by sending an SMS text message.
There are security limitations with this option: The verification codes can be accidentally shared with the phisher, through false sites and social engineering.
SIMple plan. Codes are also reliant on the security practices of the user’s carrier. Fraudsters can “SIM swap” or convince a carrier to transfer a phone number to a SIM card in their possession. The FBI’s 2023 Internet Crime Report, published in March 2024, found 1,075 complaints in the US related to SIM swapping, and costs of over $48 million for that year.
CISA, in December 2024, urged orgs not to use SMS as a second factor for authentication, noting that the unencrypted messages are readable if a threat actor compromises telecom infrastructure.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Authenicator, alligator. Microsoft, Google, and Authy offer free authenticator applications, which work offline by creating time-generated tokens for users to enter—better options than SMS, but still ones vulnerable to phishing, CISA said.
While James Hoover, senior principal analyst at market intelligence firm Gartner, hasn’t seen many clients moving directly to QR codes, he has noticed increased movement away from SMS-based authentication and toward on-device authenticator apps and passkeys, which pair a device’s private key with a service’s public key to verify identity.
Richendrfer told Forbes that the company wants to move past passwords to passkeys.
Hoover sees the QR code idea, broadly, as a lateral move for phishability threats and an upgrade for communication-channel threats like SIM swaps, since QR codes don’t depend on SMS as a transmission media. “It’s being delivered directly to the device you’re trying to authenticate to,” Hoover told us.
Adversaries, however, can still deceptively present a QR code from a controlled, compromised device to the targeted user, Hoover warned.
“Now, I’m not trying to get you to either enter or give me your six digits. I’m trying to get you to scan the QR code that authorizes my authentication attempt,” he said.