Windows

Google plans to ditch SMS in its 2FA. What will replace it?

Google services are shifting away from SMS verification in 2FA. Look to Google Authenticator, biometric authentication, and more secure options soon.
J
  • Jim Richards,
  • last year
  • Editor Informer Technologies, Inc.

Google plans to ditch SMS in its 2FA. What will replace it? Google plans to ditch SMS in its 2FA. What will replace it?

2FA, or two-factor authentication, is a bit clumsy but seemingly secure way to log on to a service without compromising the credentials. It was invented in the 1980s, but did not become common until the 2000s, when malicious agents started targeting regular people and not just corporate networks. At the outset, the technology made use of one-time passwords generated by physical tokens, but this approach disallowed scaling. SMS was a perfect solution: available to anyone with a phone, cheap, and as secure as it needed to be. This page, however, is about to be turned: according to Forbes, Google plans to abandon the practice of sending the code in messages, and it is likely other major players will follow suit.

What’s wrong with SMS in 2FA?

As mentioned above, previously, SMS was deemed a fine carrier to deliver such sensitive information as an authorization code. Today, however, things have changed, and there are several ways it can be compromised.

  • SMS verification is susceptible to phishing attacks: scammers simply trick users into revealing verification codes they receive.
  • In many cases, SMS messages are sent as plain text, and can be intercepted.
  • Moreover, much depends on the mobile carrier. For example, there’s a practice of SIM swapping, when fraudsters hijack phone numbers and thus receive SMS not intended for them. Plus, a mobile carrier’s network can be compromised, too.

What are the alternatives to SMS Verification?

In fact, Google has already introduced several alternatives to SMS that mitigate at least two of the three aforementioned risks.

  • Google Authenticator app, which generates time-based one-time passwords (TOTP), i.e., codes that are valid for a very short period of time.
  • Google Prompts, a pop-up notification received on a registered device that requests approval (or denial) of a login attempt.
  • Physical keys like YubiKey, a hardware-based approach to authentication, which is a good choice in certain scenarios.
  • Passkeys, which we covered in this piece; they allow users to authenticate using biometrics, and are seen as a total replacement for passwords.
  • QR codes, which you have to scan with your phone’s camera to log in. This is what Google will be using instead of SMS in the two-factor authentication routine for its services.

There is no specific date on the transition yet, but it is expected to happen in the first half of 2025.

Author's other posts

Microsoft adds scareware detector to Edge; what about other browsers?
Article
Microsoft adds scareware detector to Edge; what about other browsers?
Edge's brand new AI-powered scareware detector blocks those scare-inducing pop-ups and keeps you safe. Other browsers offer assistance, too.
Apple plans to sell a cheaper MacBook: what is it going to be?
Article
Apple plans to sell a cheaper MacBook: what is it going to be?
Apple's affordable MacBook with a 6-core A18 Pro chip, 8GB RAM, and ~12.9" LCD display is set to launch in 2026. Targeting students, it may start at $599.
Windows 11 23H2 support ends in November; how to upgrade to 25H2?
Article
Windows 11 23H2 support ends in November; how to upgrade to 25H2?
Windows 11 23H2 will soon join Windows 10 in the list of no-longer-supported versions. Here is what you can do about it.
How to improve RAM performance on a Mac: regular and advanced tricks
Article
How to improve RAM performance on a Mac: regular and advanced tricks
Macs are cool. But they can get slow. Here are some efficient ways to free up RAM, boost the computer's performance, and keep it running well.