Gmail to replace SMS-based authentication with QR code system to reduce security risks

Gmail is preparing to replace SMS-based authentication codes with QR code systems to verify user identity. The move is part of Google’s effort to discontinue two-factor authentication methods for a more secure model. 

Forbes reported that a Gmail insider claimed plans are ongoing to replace text message verification with an alternative approach that will enhance security while reducing various associated risks like phishing and fraud. 

For a while, Gmail has been using SMS-based authentication for abuse prevention and security verification. The system helps to confirm returning users and also prevents fraudulent activities like mass account creation for spam and malware distribution.  

The method has long raised vulnerability concerns with growing instances of cybercriminals exploiting text-based security codes to gain unauthorized access.

According to the company insider, a major reason for shifting away from text-based authentication is that SMS verification remains susceptible to phishing and its effectiveness depends on the security protocols of mobile carriers. 

For instance, if a fraudster can easily trick a carrier into getting someone’s phone number, SMS’s security will disappear, resulting in the method’s reliability flaw. Fraudsters have increasingly leveraged this weakness to bypass security measures.

Traffic pumping, also known as artificial traffic inflation and toll fraud, is another emerging scam in which cybercriminals exploit SMS verification by triggering mass authentication messages to numbers under their control. They generate revenue from every delivered message leading to financial losses for service providers. The growing concern about the abuse has now led to the prospective implementation of stronger authentication methods.

Similar Read: Google removes Black History Month, Women History Month, and other diversity events from Calendar. 

Gmail transition – from password to passkey and now QR codes

The use of SMS text messages for security codes to authenticate Gmail users’ identity has been the norm, and the industry is slowly moving away from passwords to passkeys for a more secure biometric approach to logins. 

Considering its associated risk, two-factor authentication that includes SMS codes seems far from the final destination. 

“Just like we want to move past passwords with the use of things like passkeys, we want to move away from sending SMS messages for authentication and replace them with QR codes to reduce the impact of rampant, global SMS abuse,” Gmail spokesperson Ross Richendrfer said. 

However, Google is yet to provide a specific date for the rollout. But in the coming months, Gmail users will no longer receive six-digit SMS verification codes. A QR code will appear on the screen during authentication, requiring users to scan it with their phone’s camera to complete the process.

QR codes will seek to reduce the phishing risk of Gmail users being tricked into sharing their security codes with a threat actor. It brings strong security now since there’ll be no such code to share and removes the reliance of Gmail users on their phone carrier for anti-abuse protections. 

“SMS codes are a source of heightened risk for users, we’re pleased to introduce an innovative new approach to shrink the surface area for attackers and keep users safer from malicious activity,” Richendrfer said. 

Aside from the incoming QR code method, Google recently added new and advanced features to its Performance Max to set up advertisers for success in 2025 and beyond. 

Announced in January, the expanded capabilities seek to help advertisers with more control, transparency, and actionable insights within performance max so they can achieve better campaign outcomes.

Performance Max is a goal-based campaign type that allows advertisers to increase conversions across Google’s range of advertising channels which includes Search, Display, Discover, Maps, Gmail, and YouTube. 

In 2024, Google launched a suite of Performance Max features centred around improving controls and reporting capabilities. These features help dive deeper into performance with improved insights, create visually engaging ads, and increase your asset variety among others.

The 2025 launch features more campaign control to steer AI, enhanced search reporting and guidance, and improved asset grouping reporting.