Here’s what Google is (and isn’t) planning with SMS account verification
Google is gradually phasing out SMS-based verification as part of its two-step verification (2SV) process across its suite of services, signaling a significant shift in how the tech giant approaches user authentication and security.
The change, which will affect Gmail and all other Google services where users sign in with their Google accounts, marks a move away from the traditional method of receiving six-digit codes via text message. Instead, Google is introducing a QR code-based system that users will scan with their phone’s camera.
“In certain situations we’re replacing SMS when creating a new account, however we do plan to gradually do away with SMS,” a Google representative confirmed to CyberScoop. The company emphasized that this transition will be gradual, rolling out regionally with no specific timeline for when all users will experience the new verification flow.
According to information provided by Google, the decision to move away from SMS verification stems from numerous security vulnerabilities associated with text message codes. These include susceptibility to phishing attacks, where users might inadvertently share codes with malicious actors, and dependence on phone carriers’ security practices, which can vary widely in effectiveness.
The company has also cited a relatively new scam called “traffic pumping” as a motivating factor. This scheme, which gained prominence over the past few years, involves fraudsters manipulating online service providers into sending large volumes of SMS messages to numbers under their control, generating revenue each time a message is delivered. X, formerly Twitter, reportedly encountered this issue in 2023.
Despite the move away from SMS, Google clarified that it is not abandoning phone number-based verification entirely. “We’re not planning on getting rid of ‘phone number based’ 2SV, simply the mechanism by which these numbers are verified today: SMS,” a company spokesperson told CyberScoop. Google Authenticator, the company’s authentication app, is unaffected by the change.
The new QR code verification system is designed to reduce phishing risks by eliminating shareable security codes and decreasing users’ reliance on phone carriers for security purposes. When implemented, users will see a QR code displayed during the verification process instead of receiving a text message. After scanning this code with their phone’s camera, in some cases the phone will still send an SMS to Google to complete verification, though in a more secure manner.
Google confirmed that existing accounts can still use SMS verification for now, though this will change as the new system rolls out. The company declined to provide specific numbers on how many current users rely on SMS for two-step verification.
For users seeking alternatives to SMS verification, Google recommends passkeys as the preferred method, though it acknowledges that any form of two-step verification offers better protection than passwords alone.
This transition represents part of a broader industry trend moving away from password-only and SMS-based authentication toward more secure verification methods that are less vulnerable to interception and exploitation. The change will impact the entire Google ecosystem, including Gmail, Google Play, Maps, Workspace, YouTube, and other services linked to Google accounts.
As this security shift unfolds over the coming months, Google has promised more information about the implementation and timeline of the authentication overhaul.
