Google reportedly wants to move away from SMS code-based authentication, explains why

Google is reportedly preparing to phase out text message codes for verifying Gmail users, according to an exclusive report by Forbes. The company confirmed plans to shift toward a QR code system, citing concerns over security risks tied to traditional SMS-based authentication.

Writing for Forbes, Davey Winder, a cybersecurity expert, revealed details of the plan after speaking with Google insiders. In a February 2025 article, Winder noted that SMS verification has long been criticized as vulnerable to hacking, phishing, and scams. While text-based codes are still widely used, tech companies like Google have increasingly pushed for alternatives such as biometric passkeys or app-generated codes. Now, Gmail is taking a leap toward QR codes to address what it calls “rampant, global SMS abuse.”

In an email exchange with Winder, Google spokesperson Ross Richendrfer explained that SMS codes pose multiple risks. Criminals can intercept them through phishing attacks or by exploiting weaknesses in phone carriers’ security systems. For example, fraudsters sometimes trick carriers into transferring a victim’s phone number to a device they control, allowing them to steal verification codes. “If a fraudster can easily get hold of someone’s phone number,” Richendrfer said, “the security value of SMS goes away.”

Another issue involves scams like “traffic pumping,” where criminals manipulate companies into sending large volumes of SMS messages to numbers they own, earning money each time a message is delivered. Google’s security team, including analyst Kimberly Samra, noted this scheme has surged in recent years, costing businesses and users alike.

To combat these threats, Google plans to replace SMS codes with QR-based authentication. Instead of typing a six-digit code, users will scan a QR code displayed on their screen using their phone’s camera. The company claims this method reduces phishing risks since there’s no code to steal. It also lessens reliance on phone carriers, which often lack robust anti-fraud measures.

While QR codes aren’t immune to criticism — some security experts argue they can be spoofed or manipulated — Google insists the shift will “shrink the surface area for attackers.” The transition is expected to roll out over the next few months, though no specific timeline has been shared.

The change reflects Google’s ongoing effort to phase out older security practices. Last year, the company championed passkeys as a password replacement, promoting biometric logins via fingerprints or facial recognition. Now, by distancing itself from SMS, Google aims to set a new standard for safer, simpler authentication.

As Richendrfer put it, “We want to keep users safer from malicious activity.” As scammers adopt more sophisticated means, including AI, to target Gmail users, this is a step in the right direction.