Windows

Google plans to ditch SMS in its 2FA. What will replace it?

Google services are shifting away from SMS verification in 2FA. Look to Google Authenticator, biometric authentication, and more secure options soon.
J
  • Jim Richards,
  • 7 months ago
  • Editor Informer Technologies, Inc.

Google plans to ditch SMS in its 2FA. What will replace it? Google plans to ditch SMS in its 2FA. What will replace it?

2FA, or two-factor authentication, is a bit clumsy but seemingly secure way to log on to a service without compromising the credentials. It was invented in the 1980s, but did not become common until the 2000s, when malicious agents started targeting regular people and not just corporate networks. At the outset, the technology made use of one-time passwords generated by physical tokens, but this approach disallowed scaling. SMS was a perfect solution: available to anyone with a phone, cheap, and as secure as it needed to be. This page, however, is about to be turned: according to Forbes, Google plans to abandon the practice of sending the code in messages, and it is likely other major players will follow suit.

What’s wrong with SMS in 2FA?

As mentioned above, previously, SMS was deemed a fine carrier to deliver such sensitive information as an authorization code. Today, however, things have changed, and there are several ways it can be compromised.

  • SMS verification is susceptible to phishing attacks: scammers simply trick users into revealing verification codes they receive.
  • In many cases, SMS messages are sent as plain text, and can be intercepted.
  • Moreover, much depends on the mobile carrier. For example, there’s a practice of SIM swapping, when fraudsters hijack phone numbers and thus receive SMS not intended for them. Plus, a mobile carrier’s network can be compromised, too.

What are the alternatives to SMS Verification?

In fact, Google has already introduced several alternatives to SMS that mitigate at least two of the three aforementioned risks.

  • Google Authenticator app, which generates time-based one-time passwords (TOTP), i.e., codes that are valid for a very short period of time.
  • Google Prompts, a pop-up notification received on a registered device that requests approval (or denial) of a login attempt.
  • Physical keys like YubiKey, a hardware-based approach to authentication, which is a good choice in certain scenarios.
  • Passkeys, which we covered in this piece; they allow users to authenticate using biometrics, and are seen as a total replacement for passwords.
  • QR codes, which you have to scan with your phone’s camera to log in. This is what Google will be using instead of SMS in the two-factor authentication routine for its services.

There is no specific date on the transition yet, but it is expected to happen in the first half of 2025.

Author's other posts

macOS 26 Tahoe: the better Spotlight and how to use it
Article
macOS 26 Tahoe: the better Spotlight and how to use it
Spotlight in macOS 26 Tahoe is much better than it used to be. Here are the key improvements that turn into a real productivity hub.
Microsoft removes a way to install Windows 11 with a local account
Article
Microsoft removes a way to install Windows 11 with a local account
Windows 11 will soon require a connected Microsoft account for installation, closing loopholes for local-only installs. There is still time, though.
Siri recording conversations without permission: a probe in France
Article
Siri recording conversations without permission: a probe in France
France investigates Apple over Siri amid allegations of recording conversations for analysis without consent. Possible lawsuit and fine; marketing misuse is denied.
In-car Bluetooth: the hidden dangers and how to protect yourself
Article
In-car Bluetooth: the hidden dangers and how to protect yourself
In-car Bluetooth is a common thing nowadays; a couple recent studies revealed it is not really safe. Read on to learn the details and how to protect yourself.