News: 1740442473

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Google binning SMS MFA at last and replacing it with QR codes

(2025/02/25)


Google has confirmed it will phase out the use of SMS text messages for multi-factor authentication in favor of more secure technologies.

The search-and-ads giant introduced SMS distribution of one-time passcodes for authentication for Gmail in February 2011, and in 2018 [1]fewer than 10 percent of users employed it. Google later required multi-factor authentication for most services in 2021.

But SMS fell out of favor due to inherent insecurities: Very-well-placed miscreants and nation states [2]could use SS7 to redirect passcode texts, allowing accounts to be taken over; and not-so-well-placed scumbags could use SIM swapping to take over a victim's cellphone number to steal their one-time texted codes.

[3]

In 2016, the US govt's NIST [4]advised basic text messaging should be retired as a means of multi-factor authentication.

[5]

[6]

That was sensible advice as if a thief has actually stolen a phone, it's essentially game over - passwords can be reset on Google accounts since (depending on the owner's settings) an SMS token can be viewed on the device's home screen without the need for unlocking the handset.

Secondly, the continued rise of SIM swapping has rendered SMS authentication somewhat moot. As we've [7]seen [8]time [9]and [10]time again, if a skilled social engineer can convince a telco to accept that their customer has a new SIM card then all bets are off on the security front - in 2024 CISA [11]officially [PDF] advised people to move away from SMS authentication in favor of safer systems.

[12]

There's also the fraud angle. Google has noted a rising trend in "traffic pumping" schemes in which fiends cause websites to send SMS messages with unneeded one-time-passwords. Elon Musk [13]claimed that when he took over Twitter such scams cost the microblogging service $60 million a year in SMS traffic fees.

Those problems mean Google is done with texting one-time passwords.

"Over the next few months we will be reimagining how we verify phone numbers," Google's privacy spokesperson Ross Richendrfer told The Register . "Specifically, instead of entering your number and receiving a 6-digit code, you’ll see a QR code being displayed which you need to scan with the camera app on your phone."

[14]Don't have MFA on a Google Cloud account? You'll have to from Jan

[15]Mandiant's brute-forced X account exposes perils of skimping on 2FA

[16]Amazon adds MFA to its enterprise email service ... eight years after launch

[17]Snowflake customers not using MFA are not unique – over 165 of them have been compromised

The Chocolate Factory isn't getting rid of SMS entirely, since it will sometimes still require incoming texts as confirmation of identity. But for users logging in, it's going to be a case of scanning QR codes - for those who haven't deployed security keys, tokens, and the like.

"SMS codes are a source for heightened risk for users – we’re pleased to introduce an innovative new approach to shrink the surface area for attackers and keep users safer from malicious activity," Richendrfer said. "Look for more from us on this in the near future." ®

Get our [18]Tech Resources



[1] https://www.theregister.com/2018/01/17/no_one_uses_two_factor_authentication/

[2] https://www.theregister.com/2017/09/18/ss7_vuln_bitcoin_wallet_hack_risk/

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z71OelT_NBH7OIo9fHt4lQAAAcA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[4] https://www.theregister.com/2016/07/24/nist_says_sms_no_good_for_authentication

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z71OelT_NBH7OIo9fHt4lQAAAcA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z71OelT_NBH7OIo9fHt4lQAAAcA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://www.theregister.com/2025/02/11/sim_swapped_guilty_plea/

[8] https://www.theregister.com/2024/05/07/ransomware_evolves_from_mere_extortion/

[9] https://www.theregister.com/2024/02/05/sbf_off_the_hook_for/

[10] https://www.theregister.com/2024/04/16/sim_swap_scam_tmobile/

[11] https://www.cisa.gov/sites/default/files/2024-12/guidance-mobile-communications-best-practices.pdf

[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z71OelT_NBH7OIo9fHt4lQAAAcA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[13] https://x.com/elonmusk/status/1626996774820024321

[14] https://www.theregister.com/2024/11/05/google_cloud_says_all_customers/

[15] https://www.theregister.com/2024/01/11/mandiant_x_account_brute_forced/

[16] https://www.theregister.com/2024/10/31/amazon_mfa_workmail/

[17] https://www.theregister.com/2024/06/11/crims_targeting_snowflake_customers/

[18] https://whitepapers.theregister.com/



UK Banks

Anonymous Coward

So why are most UK Banks still using SMS MFA?

Re: UK Banks

Richard 12

They've modernised. Banking has finally entered the mid-1990s.

In another decade they might reach the year 2000.

Re: UK Banks

Snowy

Your optimistic.

Re: UK Banks

Anonymous Coward

What about his optimistic? Isn't it tucked in properly? Don't leave us hanging!

What about all the people who don't have smartphones?

Tron

Typical tech bro behaviour, unable to see outside their own bubble.

Selfie-Camera->Handmirror->Screen

An_Old_Dog

"Specifically, instead of entering your number and receiving a 6-digit code, you’ll see a QR code being displayed which you need to scan with the camera app on your phone."

So, people will need to use a hand mirror, so that the camera app can see, via the selfie camera, the QR code being displayed on-screen?!

I have the latest Android update available via my telco (Android 13), but its camera app has no "screen-scanning" feature.

Re: Selfie-Camera->Handmirror->Screen

Anonymous Coward

", people will need to use a hand mirror"

But then the QR code will be backwards!

Never fear, all you need do is always carry around a [1]non-reversing mirror .

What could possibly be simpler?

[1] https://en.wikipedia.org/wiki/Non-reversing_mirror

FYI Elon says a LOT of things

Anonymous Coward

The validity of what he says, however, leaves much to be desired.

2FM (2Factor Malware)

Dr Sendy

So you log in and pick up your phone and then find the QR code is a link to a driveby phone malware site and the sign in was fake?

Home centers are designed for the do-it-yourselfer who's willing to
pay higher prices for the convenience of being able to shop for lumber,
hardware, and toasters all in one location. Notice I say "shop for," as
opposed to "obtain." This is the major drawback of home centers: they are
always out of everything except artificial Christmas trees. The home center
employees have no time to reorder merchandise because they are too busy
applying little price stickers to every object -- every board, washer, nail
and screw -- in the entire store ...

Let's say a piece in your toilet tank breaks, so you remove the
broken part, take it to the home center, and ask an employee if he has a
replacement. The employee, who has never is his life even seen the inside
of a toilet tank, will peer at the broken part in very much the same way
that a member of a primitive Amazon jungle tribe would look at an electronic
calculator, and then say, "We're expecting a shipment of these sometime
around the middle of next week."
-- Dave Barry, "The Taming of the Screw"