Google plans to ditch SMS in its 2FA. What will replace it? Google plans to ditch SMS in its 2FA. What will replace it?

2FA, or two-factor authentication, is a bit clumsy but seemingly secure way to log on to a service without compromising the credentials. It was invented in the 1980s, but did not become common until the 2000s, when malicious agents started targeting regular people and not just corporate networks. At the outset, the technology made use of one-time passwords generated by physical tokens, but this approach disallowed scaling. SMS was a perfect solution: available to anyone with a phone, cheap, and as secure as it needed to be. This page, however, is about to be turned: according to Forbes, Google plans to abandon the practice of sending the code in messages, and it is likely other major players will follow suit.

What’s wrong with SMS in 2FA?

As mentioned above, previously, SMS was deemed a fine carrier to deliver such sensitive information as an authorization code. Today, however, things have changed, and there are several ways it can be compromised.

  • SMS verification is susceptible to phishing attacks: scammers simply trick users into revealing verification codes they receive.
  • In many cases, SMS messages are sent as plain text, and can be intercepted.
  • Moreover, much depends on the mobile carrier. For example, there’s a practice of SIM swapping, when fraudsters hijack phone numbers and thus receive SMS not intended for them. Plus, a mobile carrier’s network can be compromised, too.

What are the alternatives to SMS Verification?

In fact, Google has already introduced several alternatives to SMS that mitigate at least two of the three aforementioned risks.

  • Google Authenticator app, which generates time-based one-time passwords (TOTP), i.e., codes that are valid for a very short period of time.
  • Google Prompts, a pop-up notification received on a registered device that requests approval (or denial) of a login attempt.
  • Physical keys like YubiKey, a hardware-based approach to authentication, which is a good choice in certain scenarios.
  • Passkeys, which we covered in this piece; they allow users to authenticate using biometrics, and are seen as a total replacement for passwords.
  • QR codes, which you have to scan with your phone’s camera to log in. This is what Google will be using instead of SMS in the two-factor authentication routine for its services.

There is no specific date on the transition yet, but it is expected to happen in the first half of 2025.

Author's other posts

Apple releases iPhone 16e: should you go for it?
Article
Apple releases iPhone 16e: should you go for it?
Apple released iPhone 16e: should you go for it? Apple released iPhone 16e: should you go for it?
Software firewalls 101: functions and options
Article
Software firewalls 101: functions and options
Firewalls are an important component of a robust cybersecurity strategy. Learn more about them, and how the built-in Windows firewall compares to third-party solutions.
Migration of purchases between Apple accounts: what to know
Article
Migration of purchases between Apple accounts: what to know
Apple now lets you move purchases between Apple accounts. This is a one-off operation with some restrictions; here's what to know.
Adobe releases Firefly Video Model in public beta
Article
Adobe releases Firefly Video Model in public beta
Adobe releases Firefly Video Model, it's take on the AI-powered video generation system that has a number of advantages over the competition.