Google binning SMS MFA at last and replacing it with QR codes
(2025/02/25)
- Reference: 1740442473
- News link: https://www.theregister.co.uk/2025/02/25/google_sms_qr/
- Source link:
Google has confirmed it will phase out the use of SMS text messages for multi-factor authentication in favor of more secure technologies.
The search-and-ads giant introduced SMS distribution of one-time passcodes for authentication for Gmail in February 2011, and in 2018 [1]fewer than 10 percent of users employed it. Google later required multi-factor authentication for most services in 2021.
But SMS fell out of favor due to inherent insecurities: Very-well-placed miscreants and nation states [2]could use SS7 to redirect passcode texts, allowing accounts to be taken over; and not-so-well-placed scumbags could use SIM swapping to take over a victim's cellphone number to steal their one-time texted codes.
[3]
In 2016, the US govt's NIST [4]advised basic text messaging should be retired as a means of multi-factor authentication.
[5]
[6]
That was sensible advice as if a thief has actually stolen a phone, it's essentially game over - passwords can be reset on Google accounts since (depending on the owner's settings) an SMS token can be viewed on the device's home screen without the need for unlocking the handset.
Secondly, the continued rise of SIM swapping has rendered SMS authentication somewhat moot. As we've [7]seen [8]time [9]and [10]time again, if a skilled social engineer can convince a telco to accept that their customer has a new SIM card then all bets are off on the security front - in 2024 CISA [11]officially [PDF] advised people to move away from SMS authentication in favor of safer systems.
[12]
There's also the fraud angle. Google has noted a rising trend in "traffic pumping" schemes in which fiends cause websites to send SMS messages with unneeded one-time-passwords. Elon Musk [13]claimed that when he took over Twitter such scams cost the microblogging service $60 million a year in SMS traffic fees.
Those problems mean Google is done with texting one-time passwords.
"Over the next few months we will be reimagining how we verify phone numbers," Google's privacy spokesperson Ross Richendrfer told The Register . "Specifically, instead of entering your number and receiving a 6-digit code, you’ll see a QR code being displayed which you need to scan with the camera app on your phone."
[14]Don't have MFA on a Google Cloud account? You'll have to from Jan
[15]Mandiant's brute-forced X account exposes perils of skimping on 2FA
[16]Amazon adds MFA to its enterprise email service ... eight years after launch
[17]Snowflake customers not using MFA are not unique – over 165 of them have been compromised
The Chocolate Factory isn't getting rid of SMS entirely, since it will sometimes still require incoming texts as confirmation of identity. But for users logging in, it's going to be a case of scanning QR codes - for those who haven't deployed security keys, tokens, and the like.
"SMS codes are a source for heightened risk for users – we’re pleased to introduce an innovative new approach to shrink the surface area for attackers and keep users safer from malicious activity," Richendrfer said. "Look for more from us on this in the near future." ®
Get our [18]Tech Resources
[1] https://www.theregister.com/2018/01/17/no_one_uses_two_factor_authentication/
[2] https://www.theregister.com/2017/09/18/ss7_vuln_bitcoin_wallet_hack_risk/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z71OelT_NBH7OIo9fHt4lQAAAcA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://www.theregister.com/2016/07/24/nist_says_sms_no_good_for_authentication
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z71OelT_NBH7OIo9fHt4lQAAAcA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z71OelT_NBH7OIo9fHt4lQAAAcA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2025/02/11/sim_swapped_guilty_plea/
[8] https://www.theregister.com/2024/05/07/ransomware_evolves_from_mere_extortion/
[9] https://www.theregister.com/2024/02/05/sbf_off_the_hook_for/
[10] https://www.theregister.com/2024/04/16/sim_swap_scam_tmobile/
[11] https://www.cisa.gov/sites/default/files/2024-12/guidance-mobile-communications-best-practices.pdf
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z71OelT_NBH7OIo9fHt4lQAAAcA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[13] https://x.com/elonmusk/status/1626996774820024321
[14] https://www.theregister.com/2024/11/05/google_cloud_says_all_customers/
[15] https://www.theregister.com/2024/01/11/mandiant_x_account_brute_forced/
[16] https://www.theregister.com/2024/10/31/amazon_mfa_workmail/
[17] https://www.theregister.com/2024/06/11/crims_targeting_snowflake_customers/
[18] https://whitepapers.theregister.com/
The search-and-ads giant introduced SMS distribution of one-time passcodes for authentication for Gmail in February 2011, and in 2018 [1]fewer than 10 percent of users employed it. Google later required multi-factor authentication for most services in 2021.
But SMS fell out of favor due to inherent insecurities: Very-well-placed miscreants and nation states [2]could use SS7 to redirect passcode texts, allowing accounts to be taken over; and not-so-well-placed scumbags could use SIM swapping to take over a victim's cellphone number to steal their one-time texted codes.
[3]
In 2016, the US govt's NIST [4]advised basic text messaging should be retired as a means of multi-factor authentication.
[5]
[6]
That was sensible advice as if a thief has actually stolen a phone, it's essentially game over - passwords can be reset on Google accounts since (depending on the owner's settings) an SMS token can be viewed on the device's home screen without the need for unlocking the handset.
Secondly, the continued rise of SIM swapping has rendered SMS authentication somewhat moot. As we've [7]seen [8]time [9]and [10]time again, if a skilled social engineer can convince a telco to accept that their customer has a new SIM card then all bets are off on the security front - in 2024 CISA [11]officially [PDF] advised people to move away from SMS authentication in favor of safer systems.
[12]
There's also the fraud angle. Google has noted a rising trend in "traffic pumping" schemes in which fiends cause websites to send SMS messages with unneeded one-time-passwords. Elon Musk [13]claimed that when he took over Twitter such scams cost the microblogging service $60 million a year in SMS traffic fees.
Those problems mean Google is done with texting one-time passwords.
"Over the next few months we will be reimagining how we verify phone numbers," Google's privacy spokesperson Ross Richendrfer told The Register . "Specifically, instead of entering your number and receiving a 6-digit code, you’ll see a QR code being displayed which you need to scan with the camera app on your phone."
[14]Don't have MFA on a Google Cloud account? You'll have to from Jan
[15]Mandiant's brute-forced X account exposes perils of skimping on 2FA
[16]Amazon adds MFA to its enterprise email service ... eight years after launch
[17]Snowflake customers not using MFA are not unique – over 165 of them have been compromised
The Chocolate Factory isn't getting rid of SMS entirely, since it will sometimes still require incoming texts as confirmation of identity. But for users logging in, it's going to be a case of scanning QR codes - for those who haven't deployed security keys, tokens, and the like.
"SMS codes are a source for heightened risk for users – we’re pleased to introduce an innovative new approach to shrink the surface area for attackers and keep users safer from malicious activity," Richendrfer said. "Look for more from us on this in the near future." ®
Get our [18]Tech Resources
[1] https://www.theregister.com/2018/01/17/no_one_uses_two_factor_authentication/
[2] https://www.theregister.com/2017/09/18/ss7_vuln_bitcoin_wallet_hack_risk/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z71OelT_NBH7OIo9fHt4lQAAAcA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://www.theregister.com/2016/07/24/nist_says_sms_no_good_for_authentication
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z71OelT_NBH7OIo9fHt4lQAAAcA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z71OelT_NBH7OIo9fHt4lQAAAcA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2025/02/11/sim_swapped_guilty_plea/
[8] https://www.theregister.com/2024/05/07/ransomware_evolves_from_mere_extortion/
[9] https://www.theregister.com/2024/02/05/sbf_off_the_hook_for/
[10] https://www.theregister.com/2024/04/16/sim_swap_scam_tmobile/
[11] https://www.cisa.gov/sites/default/files/2024-12/guidance-mobile-communications-best-practices.pdf
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z71OelT_NBH7OIo9fHt4lQAAAcA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[13] https://x.com/elonmusk/status/1626996774820024321
[14] https://www.theregister.com/2024/11/05/google_cloud_says_all_customers/
[15] https://www.theregister.com/2024/01/11/mandiant_x_account_brute_forced/
[16] https://www.theregister.com/2024/10/31/amazon_mfa_workmail/
[17] https://www.theregister.com/2024/06/11/crims_targeting_snowflake_customers/
[18] https://whitepapers.theregister.com/
Re: UK Banks
Richard 12
They've modernised. Banking has finally entered the mid-1990s.
In another decade they might reach the year 2000.
Re: UK Banks
Snowy
Your optimistic.
Re: UK Banks
Anonymous Coward
What about his optimistic? Isn't it tucked in properly? Don't leave us hanging!
What about all the people who don't have smartphones?
Tron
Typical tech bro behaviour, unable to see outside their own bubble.
Selfie-Camera->Handmirror->Screen
An_Old_Dog
"Specifically, instead of entering your number and receiving a 6-digit code, you’ll see a QR code being displayed which you need to scan with the camera app on your phone."
So, people will need to use a hand mirror, so that the camera app can see, via the selfie camera, the QR code being displayed on-screen?!
I have the latest Android update available via my telco (Android 13), but its camera app has no "screen-scanning" feature.
Re: Selfie-Camera->Handmirror->Screen
Anonymous Coward
", people will need to use a hand mirror"
But then the QR code will be backwards!
Never fear, all you need do is always carry around a [1]non-reversing mirror .
What could possibly be simpler?
[1] https://en.wikipedia.org/wiki/Non-reversing_mirror
FYI Elon says a LOT of things
Anonymous Coward
The validity of what he says, however, leaves much to be desired.
2FM (2Factor Malware)
Dr Sendy
So you log in and pick up your phone and then find the QR code is a link to a driveby phone malware site and the sign in was fake?
UK Banks
So why are most UK Banks still using SMS MFA?