Windows

Google plans to ditch SMS in its 2FA. What will replace it?

Google services are shifting away from SMS verification in 2FA. Look to Google Authenticator, biometric authentication, and more secure options soon.
J
  • Jim Richards,
  • 4 months ago
  • Editor Informer Technologies, Inc.

Google plans to ditch SMS in its 2FA. What will replace it? Google plans to ditch SMS in its 2FA. What will replace it?

2FA, or two-factor authentication, is a bit clumsy but seemingly secure way to log on to a service without compromising the credentials. It was invented in the 1980s, but did not become common until the 2000s, when malicious agents started targeting regular people and not just corporate networks. At the outset, the technology made use of one-time passwords generated by physical tokens, but this approach disallowed scaling. SMS was a perfect solution: available to anyone with a phone, cheap, and as secure as it needed to be. This page, however, is about to be turned: according to Forbes, Google plans to abandon the practice of sending the code in messages, and it is likely other major players will follow suit.

What’s wrong with SMS in 2FA?

As mentioned above, previously, SMS was deemed a fine carrier to deliver such sensitive information as an authorization code. Today, however, things have changed, and there are several ways it can be compromised.

  • SMS verification is susceptible to phishing attacks: scammers simply trick users into revealing verification codes they receive.
  • In many cases, SMS messages are sent as plain text, and can be intercepted.
  • Moreover, much depends on the mobile carrier. For example, there’s a practice of SIM swapping, when fraudsters hijack phone numbers and thus receive SMS not intended for them. Plus, a mobile carrier’s network can be compromised, too.

What are the alternatives to SMS Verification?

In fact, Google has already introduced several alternatives to SMS that mitigate at least two of the three aforementioned risks.

  • Google Authenticator app, which generates time-based one-time passwords (TOTP), i.e., codes that are valid for a very short period of time.
  • Google Prompts, a pop-up notification received on a registered device that requests approval (or denial) of a login attempt.
  • Physical keys like YubiKey, a hardware-based approach to authentication, which is a good choice in certain scenarios.
  • Passkeys, which we covered in this piece; they allow users to authenticate using biometrics, and are seen as a total replacement for passwords.
  • QR codes, which you have to scan with your phone’s camera to log in. This is what Google will be using instead of SMS in the two-factor authentication routine for its services.

There is no specific date on the transition yet, but it is expected to happen in the first half of 2025.

Author's other posts

New rules for EU’s App Store: impact for developers and end users
Article
New rules for EU’s App Store: impact for developers and end users
Apple dodges a €500M EU penalty by overhauling App Store rules. EU users gain freedom with links to external payments, but face security risks; global changes are unlikely.
AI-based services for all: AI chatbots and platforms for children
Article
AI-based services for all: AI chatbots and platforms for children
AI is everywhere, in the kindergartens and primary schools. It's just the way things are. Here is a list of AIs and learning platforms that are child-safe.
OpenAI and LoveFrom’s secret product is an audio computer?
Article
OpenAI and LoveFrom’s secret product is an audio computer?
OpenAI and LoveFrom face a lawsuit by IYO over 'IO' branding. The battle heats up as both work on revolutionary voice-based AI devices, teasing a game-changing future.
Family Safety blocks Google Chrome in Windows: background and fixes
Article
Family Safety blocks Google Chrome in Windows: background and fixes
A filtering bug in Windows 11's Family Safety stops Google Chrome from launching. Here are a couple workarounds.