SMS verification is a simple and easy way for a service to check that the correct person is trying to access an account. When a person tries to log in to a service, a text message containing a short code is sent to the linked phone number. The person then verifies their credentials by entering the code in the text message.
This simple way of verifying access seems secure, but there's been a growing movement to shift away from SMS verification for some time. Google is the latest service to make this shift, it has announced that Gmail will soon use QR code verification instead of SMS verification. This might seem like an irrelevant change, but here's why more companies should follow in Google's footsteps and stop using SMS verification.
Why SMS verification carries security risksSMS are unencrypted and vulnerable to interceptionSMS verification usually takes the form of a short string of numbers, usually around six digits long. This code is used to verify access to accounts that have been dormant for a while and verify actions like password or email resets. While this method is more secure than just a password, there are multiple ways a hacker can read this code.
SMS messages are not encryptedThe simplest way for a hacker to read your SMS messages is to install malware on your phone. As SMS messages are unencrypted, the malware can be set up to monitor SMS messages and send them to the hacker.
Every month, there is a new story about malware on Android devices, highlighting how vulnerable our SMS messages are. 8 million devices were infected by malicious apps on the Play Store in December 2024, a voice phishing malware compromised devices in November 2024, and a bug in Qualcomm chipsets compromised Android devices in October 2024.
Most of these malware scams are after your bank details, but SMS messages are also a potential target.
SMS messages can be interceptedThe most common method for a hacker to read your SMS messages is through malware, but the lack of encryption means messages can be intercepted en route to your device. Even if your device isn't infected with malware, your SMS messages still aren't safe.
The SMSC is vulnerable to hackersThe short message service center (SMSC) acts as a middleman between the sender and recipient of SMS messages. A message is first sent to the SMSC, where it is stored until the recipient is available or the SMS expires.
Anyone who has access to the SMSC (which is identified by a phone number stored in your SIM card) can read all stored messages. Not only can malicious actors read these messages, but they can modify them, opening the door to phishing scams as well.
For example, a hacker could replace the verification code with a request to click on a link to authenticate your access. As you just requested a text message, it's more likely you will click on it than if it was sent randomly.
It's worth noting that SMS verification is significantly more secure than only relying on a password. If a service only offers SMS verification, you should always sign up for it. Don't forget to check your phone for malware regularly.
Why QR code verification should be the standardQR codes are not as vulnerable as SMS codes
Source: 9to5GoogleQR code verification is straightforward. When you try to access a service, it displays a QR code on screen. Scanning this code with your device will successfully verify you and grant access.
QR code verification is more secure than SMS authentication as there is no message containing an access code. No code means no danger of phishing scams or hackers. Unless a malicious actor is recording your screen when you request the code, they cannot intercept the authentication process.
The overall process is significantly more secure than SMS authentication, but it's not perfect.
QR code authentication is still susceptible to phishing scamsThe simplest way for a hacker to access an account provided by two-factor authentication is to provide you with a fake QR code. For example, they could send you a QR code that takes you to a fake website that looks identical to the real one.
According to an Abnormal Security report, these QR codes are usually sent over email with an alarmingly high success rate. In an interview with Forbes regarding Gmail's switch to QR code authentication, Mike Birotton, chief information officer at Abnormal Security, stated that this high success rate is because users aren't as wary of a QR code in an email as a link.
QR code verification, while more secure than SMS verification from a technical standpoint, is less secure due to human error. Over time, increasing numbers of QR code scams will teach us to treat them with suspicion, but right now, we're at the tipping point where QR code scams are becoming more prevalent, but QR code verification isn't common enough for us to be able to identify these scams.
Despite its problems, QR code verification is a big step for our digital securityGoogle isn't the first company to introduce QR code authentication. Discord has offered QR code authentication for years. Discord's method is to log into the Discord app by scanning the code in the PC discord app where you're already logged in.
Gmail's upcoming switch to QR code authentication is a more significant moment than Discord's. Gmail's userbase is significantly higher, and should prompt other companies to follow in Google's steps and implement this more secure method of two-factor authentication.
source
