Google is implementing a major change to its authentication process by replacing SMS verification codes with QR codes for Gmail logins.
This update, reported recently is part of the company’s broader efforts to enhance security and improve user experience amid growing concerns over phishing attacks and SIM-swap fraud.
Instead of receiving a one-time passcode via SMS, users attempting to log into Gmail on a new device will now be prompted to scan a QR code with an already signed-in device, such as a smartphone or tablet.
According to the tech giant, this new method adds an extra layer of security by reducing the reliance on SMS, which has been increasingly exploited by hackers.
“The QR code authentication works in a manner similar to linking WhatsApp or Telegram accounts to a desktop version, where scanning the code on the login screen with an authenticated device confirms the login request,” Google noted.
Google’s decision to phase out SMS-based authentication is driven by the vulnerabilities associated with text message verification.
Cybercriminals have exploited these weaknesses by intercepting codes through phishing schemes or executing SIM-swapping attacks, wherein they fraudulently transfer a victim’s phone number to another device to gain unauthorized access.
By transitioning to QR code-based authentication, Google noted it aims to minimize these risks and offer a more secure, seamless login experience.
For most users, this change is expected to streamline the authentication process.
Many already use their smartphones for multi-factor authentication via apps like Google Authenticator or security keys, making the transition to QR codes relatively smooth.
However, those who rely solely on SMS for two-factor authentication will need to adapt by ensuring they have an alternative device available for the new verification method.
Although Google has not specified an exact timeline for when SMS-based authentication will be fully deprecated, the company is encouraging users to adopt QR code verification as soon as possible.
This move aligns with broader industry trends toward more secure, phishing-resistant authentication methods, including passkeys and biometric verification.
