For some time now, Google has been asking for a mobile phone number and verification when new customers create Gmail accounts. SMS verification is also used as part of the login process, to verify that a returning customer is indeed that customer.

Google did introduce an option to enable 2-step verification for accounts without phone number in 2024 already.

A report by Forbes suggest that this is going to change in the coming months. Google plans to end SMS verification in favor of another system.

Google told Forbes that it wants to move away from using SMS messages for authentication. Other services, including X, formerly Twitter, have abandoned SMS in the past as well.

Currently, Google uses SMS verification in two situations:

1. When accounts get created, in order to limit the mass-creation of accounts by malware gangs and malicious groups.
2. To verify the identity of a returning user.

While SMS verification is better than no verification at all, the system has its fair share of significant issues. For one, SMS are sent out in clear text, which means they can be easily read when intercepted. Phishing is another problem that has been on the rise and there is the underlying issue of being tied to a phone number. Fraudulent groups have managed to obtain access to user phone numbers in the past through social engineering attacks that targeted the user's Internet Service Provider.

Google noted a rise in SMS related criminal activities. One of them, which Google calls traffic pumping, attempts to get online services to send SMS messages to numbers that they control in order to get paid.

From SMS to QR Codes

Google plans to switch off SMS verification in favor of a new system that relies on QR codes. So, instead of being asked to verify access by entering a six digit code sent to a mobile phone number, users are asked to scan the QR code using the mobile phone's camera.

Google believes that this new system is beneficial to itself and its users. Primarily, because it is removing phishing from the equation. Since there is no number that is sent to a mobile phone number anymore, there is nothing that can be phished in that regard.

Closing Words

In its talk with Forbes, Google did not reveal when it plans to introduce the change, only that it plans to reimagine how it verifies phone numbers "over the next few months". The changes may roll out in the first half of 2025 at the earliest.

What is your take on the changes? Do you use SMS for verification currently, or do you prefer other means? Feel free to leave a comment down below.