Stefano Nicoletti, Head of MEF’s Sender ID Registry in the UK comments on the news that Google plans to move away from using SMS for its 2 factor authentication for Gmail – does the move signal the end of SMS for 2FA?
Google confirmed it intends to move away from SMS authentication for its Gmail services and to replace it with QR codes.
“Just like we want to move past passwords with the use of things like passkeys(..) we want to move away from sending SMS messages for authentication.” Ross Richendrfer, a Gmail spokesperson was quoted in Forbes.
Moving forward, Google will be transitioning to using a QR code that the user can scan using their mobile device. This is a lot more sophisticated authentication mechanism than pasting a six-figure digit from your SMS. The new system will effectively remove the telecommunication channel out of the authentication process, however Google has not given a specific timeframe in which the transition will happen but indicated this will be in the ‘near future’.
Currently, Google uses SMS to verify and authenticate users and to prevent abuse, such as when malicious agents create thousands of Gmail accounts to distribute spam and malware. While this change has been long-awaited, we understand that the new policy will impact Gmail but does not mean that Google is moving away from SMS authentication for all its other services just yet.
Other major tech companies have taken similar steps. Meta is actively phasing out 2FA SMS encouraging users to switch to more secure methods like authenticator apps or security keys. Microsoft recommends its Microsoft Authenticator App, Windows Hello, or Passkeys and prompts users to sing- in using the most secure methods they are registered to. Amazon Web Services supports various MFA types, including physical devices like YubiKey, a phishing resistant authentication method based on Fast Identity Online (FIDO) standards, Virtual authenticators apps like Authy, or Hardware Time-based One-Time Password (TOTP) tokens. E-shoppers can also use Amazon mobile App for authentication.
Digital giants cite security as the main reasons for the change. SMS messages are not encrypted and can be easily intercepted by malicious actors, making them a less secure option. SMS pumping, a form of artificially inflated traffic (AIT), is also a global issue. Fraudsters generate large amounts of OTP requests to numbers they control, to benefit from the termination revenues, which are ultimately paid by those who initiate the OTP traffic, including Amazon, Microsoft, Meta, and Google.
While rising costs are not explicitly mentioned as a factor, it may well play a part. According to Mobilesquared data, the average global termination rate for A2P SMS grew from $0.033 in 2021 to approximately $0.065 in 2023, almost double. During the same period, 90% of mobile operators increased their international rates, with 20% of them by 50%-100% and 3.9% by a whopping 500%. With such increases and considering that tech giants generate huge amounts of international SMS traffic, it’s no wonder they are exploring cheaper options.
So, will SMS disappear soon? Perhaps not. They have been declared dead multiple times in the past but have proven more resilient than most would have ever thought. First, while operators recommend more robust authentication methods, most still support SMS-based MFA as a possible choice. Secondly, what tech giants do may be different from the rest of the market.
Smaller players may still find the balance tipping in favour of SMS. The cost impact on them may not be as significant, and they may not have the financial resources or technical expertise to adopt more sophisticated authentication methods, and perhaps they may not want to do so.
Thirdly… well… try asking your grandmother (or grandfather) to install an authenticator app, then generate a random code and pass it on for authentication! When it comes to deploying new secure services, simplicity and ubiquity are super important to brands. SMS are simple, well-tested, and well-understood by everybody. Everybody opens and reads them, they do not require app installation, they are usually taken more seriously than other social media messaging, and are more accessible to the public, particularly the least tech-savvy.
While the transition away from SMS-based authentication methods gains momentum among tech giants, the practicality and familiarity of SMS ensure that it remains a viable option for many. As the digital landscape continues to evolve, balancing security with user convenience will be paramount. So, whether it’s through QR codes, authenticator apps, or even the tried-and-true SMS, the ultimate goal is to keep users safe in an ever-connected world.
