The era of SMS security codes for identity verification is nearing its end, and the shift couldn’t come at a more critical time. As the tech world edges away from passwords toward biometric-driven passkeys, two-factor authentication has evolved rapidly, with code-generating apps and seamless app-less methods gaining ground. SMS, though long considered a baseline safeguard, has clung to relevance—until now. After an exclusive exchange with Google insiders, I can confirm that Gmail is poised to abandon SMS codes altogether, ushering in a bold pivot to QR codes. Here’s the full picture.
Ross Richendrfer, a Gmail spokesperson, laid out the company’s vision with striking clarity: “Just like we want to move past passwords with the use of things like passkeys, we want to move away from sending SMS messages for authentication.” This isn’t a mere tweak—it’s a calculated leap to counter the escalating chaos of global SMS abuse. Google’s plan swaps out those familiar six-digit codes for QR codes, a move designed to tighten security and outmanoeuvre fraudsters.
Google leans on SMS today for two core reasons: confirming user identity and curbing abuse. Richendrfer broke it down: verification ensures “that we’re dealing with the same user as before,” while abuse controls block criminals from churning out Gmail accounts to unleash spam or malware. But SMS has glaring weaknesses. Codes get phished. Devices go missing. Carriers falter. “If a fraudster can easily trick a carrier into getting hold of someone’s phone number,” Richendrfer noted, any “security value of SMS goes away.” It’s a stark reality—SMS is a shaky foundation in a high-stakes game.
The stakes climb higher when you consider SMS’s role in fuelling crime. Google has tracked a scam dubbed traffic pumping—also known as toll fraud—where fraudsters trigger mass SMS deliveries to numbers they control, pocketing cash per message. Richendrfer and his colleague Kimberly Samra described it bluntly: “It’s where fraudsters try to get online service providers to originate large numbers of SMS messages to numbers they control, thereby getting paid every time one of these messages is delivered.” It’s a cunning exploit, and SMS sits at its core.
If you’ve already upgraded your Gmail security—say, with the Google 2FA app, prompts, or passkeys—you’re ahead of the curve. For the rest, SMS lingers as a fall back, propped up by habit or oversight. Why wait? The risks are clear, and better options beckon.
So, what’s next? “Over the next few months, we will be reimagining how we verify phone numbers,” Richendrfer revealed. “Specifically, instead of entering your number and receiving a 6-digit code, you’ll see a QR code being displayed, which you need to scan with the camera app on your phone.” It’s a shift that demands attention. QR codes aren’t flawless—I’ve written plenty about their pitfalls—but this marks a step forward for Gmail’s 1.8 billion users.
Google touts three key wins with QR codes. First, they slash phishing risks—no codes exist to steal. Second, they cut dependence on carriers for abuse protection. Third, they blunt the impact of SMS-driven scams. “SMS codes are a source of heightened risk for users,” Richendrfer emphasised. “We’re pleased to introduce an innovative new approach to shrink the surface area for attackers and keep users safer from malicious activity.” He hinted at more to come, though no firm rollout date emerged. The urgency, however, resonates: how long can we afford to wait?
Not everyone’s sold. Mike Britton, chief information officer at Abnormal Security, offered measured praise: “It’s good to see Google get with the times and remove SMS multi-factor authentication due to its well-known insecurities and susceptibility to being exploited.” Yet he flagged a catch. “QR codes are a more secure replacement,” he said, “but they don’t come without their risks when it comes to multi-factor authentication themed attacks.” His team’s data backs this up—27% of QR-based attacks they’ve tracked mimic MFA notifications. Why? Britton pointed to a chilling truth: QR scams lack the red flags we’ve learned to spot in traditional phishing. That novelty hands attackers an edge.
Where does this leave you? Whether it’s Gmail or beyond, Britton’s advice cuts through the noise: “Question any organisation which is proactively asking for credentials, avoid providing sensitive information online and be suspicious of any links sent to you via email.” It’s a call to vigilance in an era of shifting threats.
SMS served its purpose, but its time is up. QR codes may not be perfect, but they sharpen the fight against fraud.
