Google is eliminating SMS-based authentication for Gmail in favour of QR codes, citing security vulnerabilities and abuse risks. IT leaders should use this transition as a catalyst to evaluate their organization's use of SMS-based authentication and plan for more secure alternatives.
Why You Should Care
- SMS-based authentication is highly vulnerable. Attackers exploit SMS through phishing, SIM swapping, and malware that intercepts codes. Fraudsters also exploit SMS weaknesses through scams like “traffic pumping,” involving criminals tricking providers into sending authentication texts to numbers they control, generating illicit revenue. Eliminating SMS reduces these risks and enhances security.
- QR codes reduce security risks. Since QR-based authentication does not require entering a numeric code, phishing risks are reduced. Additionally, it removes dependency on telecom carriers for security. The shift from SMS to QR codes aligns with the broader industry trend of moving away from less secure authentication methods like passwords and SMS. Embrace this change to stay ahead of evolving security threats and demonstrate a commitment to protecting sensitive data.
- QR Codes enhance user experience. While SMS may seem convenient, users can lose access to codes if they lose access to their devices or phone numbers. QR codes offer a more reliable authentication method, ensuring consistent access to personal and enterprise accounts.
What You Should Do Next
CIOs and senior IT leaders must conduct a comprehensive audit to determine how a shift to newer authentication methods will impact their enterprise and what accommodations may be required for enterprise users. Explore alternative authentication methods—such as authenticator apps, passkeys, or physical security keys—to enhance overall security.
Get Started
- Assess organizational readiness. Conduct a review of where SMS-based and other outdated authentication approaches are still in use and prioritize alternatives.
- Pilot alternative authentication approaches with a small group of users. Gather feedback on the usability and effectiveness of new methods to refine your implementation strategy.
- Communicate, educate and update. Inform employees and users about the shift to more robust authentication methods. Ensure they understand the importance of the new authentication approach and how to use it correctly to prevent security breaches. Update all security policies and manuals to reflect these changes.
- Stay agile. Monitor cybersecurity trends and evaluate emerging authentication technologies and best practices for future-proof security. Keep abreast of new developments and recommendations to continuously improve your authentication methods and overall security posture