Google: SMS Text Security Codes No Longer Secure
Gmail is to stop using SMS text messages as a way to authenticate accounts. It's concluded the security measure is no longer secure or efficient.
The SMS message test is a common example of two-factor authentication, the idea that accounts should always be protected by two different factors, often including something the customer knows (such as a password), something they have (such as a smartphone), and where they are (using an IP address).
This means most of the time the customer can simply log in with a password from their normal location or IP address. With two-factor authentication enabled, that wouldn't work if they were away from home, so the password isn't sufficient. Instead they'd authenticate through something they have. With Gmail that's usually been their phone, which receives a security code by text message.
SMS No Longer Secure for 2 Factor Authenication
The problem is that the SMS route isn't as secure as it could be. Skilled scammers have found ways to hijack phone numbers so that incoming messages get redirected. Meanwhile, for more targeted attacks on a specific individual, somebody who steals a phone could attempt a password reset on a Gmail account. They could then usually view a security code arriving by SMS message without needing to unlock the device.
Another more sophisticated method is to falsely claim to be a Google support staff member and trick the user into handing over the security code. (Source: independent.co.uk)
QR Codes The New Solution
In some cases it's not the user who is getting scammed. Instead some criminals work alongside rogue telephone network operators, generating bogus requests for a security code and making money from carriage fees for the text messages. One estimate says five percent of all SMS messages are scams of this type, while Elon Musk claims X (formerly Twitter) once paid $60 million in fees for sending bogusly-requested two-factor-authentication texts. (Source: theregister.com)
Google says users can continue using alternative methods such as dedicated security verification apps (such as "Google Authenticator" or "Microsoft Authenticator") or physical USB security keys. However, for most other users the default method will switch from SMS messages to scanning a QR code. When two-factor authentication is triggered, the Gmail screen will show a unique QR code (a pattern of black and white blocks) and the user will need to scan it with their phone to prove their identity.
What's Your Opinion?
Do you often get asked to use an SMS message to verify your identity? Had you considered the limitations to this security? Is a QR code an acceptable alternative?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.
Comments
Google Authenticator
One thing I wish Google Authenticator would ask for is my fingerprint in order to open up the app (or a secondary password / swipe pattern) as an extra security measure. If my phone were ever compromised due to remote access, this would add in one more extra layer of security.
Not a phone expert
I’m more comfortable on a computer than a phone, but how do you scan a QR code on your phone if you’re on your phone?
Scanning QR codes
Most camera apps on phones will scan QR codes automatically - just point, wait a second to see if the camera can single out the QR code (it does this by showing a border around the QR code usually) or it will show a web address with an option to visit that link.
Some camera apps have a 'QR code' button you have to tap in order to enable it. Older phones may not have the QR code reader in which case you will need to download a dedicated QR code reading app. Just make sure you get a legitimate one, especially one that doesn't spam you with full screen ads constantly.
You can test your camera for QR code reading capability here:
https://idemia-mobile-id.com/testqr
QR Code on phone
That’s not what I meant.
Suppose I’m attempting to sign in on my phone and then I’m asked to scan a QR code on my phone?
I don’t see a way to do that.
I understand scanning QR codes that appear elsewhere like on my TV or on my computer or my display in my car or on a sticker etcetera.
Just don’t see how I can scan one displayed on my phone with my phone.
Camera
The camera app should automatically detect it. I mentioned that in the previous comment. If it doesn't then you will need a dedicated QR reader app.
What about the phone call option?
Right now Google offers an option to get a code via phone call. I wonder if that will also be deprecated. It really would be a shame, seeing as how not everyone has a smartphone or wants to have a smartphone. Making people scan QR codes is also not very accessible for the blind.
Using QR codes instead of SMS
Since a QR code is simply a way to encode a web address, how is this more secure?
Also, as stated before how do you use a QR code on a computer? Especially one that does not have a camera?
Seems like a way to make logging in more of a hassle in the name of security.
Another hassle!
The concept of an ID and password to eter a url made sense for the most part, particularly on sites that have finacial or other security needs. And for those sites to add, without my approval, a"send a code to cell phone or email" at least was for security reasons. But why do sites like this one need such security to be entered? There is no finacial data at risk. I don't mean this site itself, but information sites such as Google search or BING?
For me it is frustrating because I jump from computer to computer daily and each time I try to sign in I get the code request. I don't like or use cell phones and having to go to my email each time is a pain.
Another beef I have is the time limit many sites use to determine if I am using the site. I may have to look some info up while I am on the site or go to a different site at the same time and lo-and-behold when I get back I have been igned out. Using just my ID and password would not be too painful, but a lot of the sites go back through the darn "send code to..." routine. I'm too busy to put up with that!