The shift, it claims, will improve security and will be rolled out over the next few months, according to Ross Richendrfer, head of security & privacy PR at the internet giant.
The news was revealed to security specialist Davey Winder in Forbes. Other authentication methods already available, including Google 2FA code app, Google prompts or passkeys won’t be affected.
“Over the next few months, we will be reimagining how we verify phone numbers,” Richendrfer told Winder. “Specifically, instead of entering your number and receiving a six-digit code, you’ll see a QR code being displayed, which you need to scan with the camera app on your phone.”
Users will need to have the appropriate app on their smartphone, of course.
SMS text message authentication is flawed in a number of ways.
First, people don’t always have access to the device that the authentication codes are sent to, and mobile numbers only last as long as someone is paying the bill; some operators discontinue pay-as-you-go accounts if they’re not regularly topped up.
Second, the SS7 signalling protocol, which dates back to 1975 that governs SMS is notoriously insecure and can be exploited by actors with nefarious intent.
Account hijacking is not unknown either for the purpose of fraud or because the account holder is a high-profile individual. Moreover, the system of SMS text authentication can also be used to drive messages en masse to accounts controlled by fraudsters whereby they get paid for every message delivered.
This form of authentication was costing Twitter $60 million in carriage fees every year before it was closed down by Elon Musk following his takeover of the company in 2022.
Third, and following on from that, SMS-based multi-factor authentication means that the online service is only as secure as the mobile telecoms company’s own security.
However, QR codes are not without security risks, either, especially as a relatively new technology that hasn’t been fully tested yet. Fake QR codes that can mislead or misdirect are not uncommon. For example, by promising a link to a particular website or information, but instead directing an unsuspecting target to a compromised site instead.
Want to know more? Computing ‘s Cybersecurity Festival returns to London in May, where senior IT decision makers can learn about modern challenges, compare strategies with peers, and source solutions. Click here to register for free.