Google: SMS Text Security Codes No Longer Secure
Gmail is to stop using SMS text messages as a way to authenticate accounts. It's concluded the security measure is no longer secure or efficient.
The SMS message test is a common example of two-factor authentication, the idea that accounts should always be protected by two different factors, often including something the customer knows (such as a password), something they have (such as a smartphone), and where they are (using an IP address).
This means most of the time the customer can simply log in with a password from their normal location or IP address. With two-factor authentication enabled, that wouldn't work if they were away from home, so the password isn't sufficient. Instead they'd authenticate through something they have. With Gmail that's usually been their phone, which receives a security code by text message.
SMS No Longer Secure for 2 Factor Authenication
The problem is that the SMS route isn't as secure as it could be. Skilled scammers have found ways to hijack phone numbers so that incoming messages get redirected. Meanwhile, for more targeted attacks on a specific individual, somebody who steals a phone could attempt a password reset on a Gmail account. They could then usually view a security code arriving by SMS message without needing to unlock the device.
Another more sophisticated method is to falsely claim to be a Google support staff member and trick the user into handing over the security code. (Source: independent.co.uk)
QR Codes The New Solution
In some cases it's not the user who is getting scammed. Instead some criminals work alongside rogue telephone network operators, generating bogus requests for a security code and making money from carriage fees for the text messages. One estimate says five percent of all SMS messages are scams of this type, while Elon Musk claims X (formerly Twitter) once paid $60 million in fees for sending bogusly-requested two-factor-authentication texts. (Source: theregister.com)
Google says users can continue using alternative methods such as dedicated security verification apps (such as "Google Authenticator" or "Microsoft Authenticator") or physical USB security keys. However, for most other users the default method will switch from SMS messages to scanning a QR code. When two-factor authentication is triggered, the Gmail screen will show a unique QR code (a pattern of black and white blocks) and the user will need to scan it with their phone to prove their identity.
What's Your Opinion?
Do you often get asked to use an SMS message to verify your identity? Had you considered the limitations to this security? Is a QR code an acceptable alternative?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.
Comments
Google Authenticator
One thing I wish Google Authenticator would ask for is my fingerprint in order to open up the app (or a secondary password / swipe pattern) as an extra security measure. If my phone were ever compromised due to remote access, this would add in one more extra layer of security.
Not a phone expert
I’m more comfortable on a computer than a phone, but how do you scan a QR code on your phone if you’re on your phone?
What about the phone call option?
Right now Google offers an option to get a code via phone call. I wonder if that will also be deprecated. It really would be a shame, seeing as how not everyone has a smartphone or wants to have a smartphone. Making people scan QR codes is also not very accessible for the blind.