Beyond SMS: HYPR's Perspective on Gmail's Shift to QR Code Authentication

SMS-based, two-factor authentication (2FA) has long been a staple security measure for many online services, including Gmail. However, as the tech industry shifts towards more secure authentication methods, it has become evident that SMS codes are no longer the ideal solution. In a recent reveal, a Gmail spokesperson has confirmed that Google is planning to phase out SMS codes for authentication, marking a significant change for billions of users worldwide.

This move by Google validates HYPR's long-held belief that passwords and SMS codes are inherently insecure and susceptible to various attacks. HYPR has been a leader in the passwordless authentication space, advocating for and implementing more secure methods like passkeys and QR codes for years.

Drawbacks of SMS-based 2FA

While SMS-based 2FA has been widely adopted, it comes with several inherent security vulnerabilities that can compromise user accounts:

• Phishing risks: Threat actors can trick users into sharing their SMS codes, granting them unauthorized access to accounts.
• Reliance on carrier security practices: The security of SMS codes heavily depends on the user's mobile carrier, which may have varying levels of protection against attacks.
• Accessibility issues: Users may not always have access to the device receiving the SMS codes, making it difficult to authenticate their identity.

Moreover, SMS verification codes have become a target for criminals, who exploit them for various scams.

Google's Decision to Move Away from SMS Codes

In a conversation with Forbes, Gmail spokesperson Ross Richendrfer revealed Google's intention to move past passwords and SMS messages for authentication. According to Richendrfer, Google currently uses SMS verification for two primary purposes:

1. Security: Verifying that the service is dealing with the same user as before.
2. Abuse control: Preventing fraudsters from abusing Google's services, such as creating thousands of Gmail accounts to distribute spam and malware.

However, SMS codes present numerous challenges, as outlined by Richendrfer and his colleague Kimberly Samra:

• Phishing risks: Users can be tricked into sharing their SMS codes with threat actors.
• Accessibility concerns: Users may not always have access to the device receiving the codes.
• Carrier security practices: The security of SMS codes relies on the user's carrier, which may have varying levels of protection.

Richendrfer emphasized that if a fraudster can easily trick a carrier into obtaining someone's phone number, the security value of SMS is significantly diminished.

Moreover, SMS verification codes are often at the heart of many criminal operations, such as traffic pumping scams, artificial traffic inflation, and toll fraud. These scams involve fraudsters manipulating online service providers to send large numbers of SMS messages to numbers they control, thereby earning money for each delivered message.

Gmail's Transition to QR Codes for Authentication

To address the security concerns associated with SMS codes, Gmail is set to introduce a new phone number verification process in the coming months. Instead of receiving a 6-digit SMS code, users will be presented with a QR code that they need to scan using their phone's camera app.

The benefits of QR codes for authentication, as stated by Google, are threefold:

1. Reduced phishing risk: Since there are no shareable codes, the risk of users being tricked into sharing their security codes with threat actors is significantly reduced.
2. Decreased reliance on phone carriers: In most cases, Google users will no longer need to rely on their phone carrier for anti-abuse protections.
3. Mitigation of global SMS abuse impact: The transition to QR codes will help reduce the impact of rampant, global SMS abuse.

HYPR's Implementation of QR Codes

At HYPR, we have integrated QR codes into various aspects of our identity assurance platform, including:

• Onboarding: New users can be onboarded seamlessly and securely using QR codes to verify their identity and register their devices.
• Reprovisioning: If a user loses or replaces their device, they can quickly and easily reprovision their credentials using a QR code.
• Fallback: In situations where a user's primary authentication method is unavailable, QR codes can serve as a secure fallback option.

Demo example of HYPR's QR code implementation

Our commitment to QR code authentication stems from our understanding of its security benefits. Unlike SMS codes, QR codes are less susceptible to phishing attacks, as they are not shareable codes. Moreover, QR codes do not rely on carrier security practices, making them a more reliable authentication method.

Expert Perspective on QR Code Authentication

While Google's decision to deprecate SMS codes is a positive step, it's important to remember that QR codes are not without their own security considerations. As a relatively new technology for authentication, QR codes may not be viewed with the same level of suspicion as other, more established phishing techniques. This lack of awareness can be exploited by threat actors.

However, HYPR's CEO, Bojan Simic, emphasizes the importance of context and implementation when evaluating the security of QR codes. "While it's true that QR codes can be exploited in phishing attacks, the context in which they are used significantly impacts their security," says Simic. "When implemented correctly, as part of a comprehensive, passwordless MFA platform, QR codes offer a significant security advantage over SMS codes and passwords."

Simic further explains, "HYPR's implementation of QR codes leverages device-bound credentials and cryptographic techniques that mitigate the risks associated with phishing and session hijacking. This ensures that even if a user scans a malicious QR code, their credentials remain secure."

To further enhance security, HYPR's platform incorporates additional layers of protection, such as:

• Risk-based authentication: HYPR Adapt analyzes various risk signals, such as user behavior, device posture, and location, to assess the risk associated with each authentication attempt. This allows for dynamic adjustments to the authentication process, ensuring that only legitimate users gain access.
• Identity verification: HYPR Affirm provides a deterministic way to prove a user's identity, preventing account takeover attacks that exploit social engineering and help desk vulnerabilities.

Beyond QR Codes: HYPR's Comprehensive Approach to Identity Assurance

Gmail's plan to phase out SMS codes in favor of QR codes marks a significant security moment for Google and its billions of users worldwide. By addressing the vulnerabilities associated with SMS-based authentication, Google aims to provide a more secure experience for its users. This move aligns with HYPR's mission to deliver passwordless identity assurance by unifying phishing-resistant authentication, adaptive risk mitigation, and automated identity verification.

HYPR's innovative identity assurance platform empowers organizations to embrace phishing-resistant authentication methods like passkeys, and allow for more secure alternatives like QR codes, ensuring a seamless and secure user experience. As the tech industry continues to evolve, HYPR remains committed to staying ahead of the curve, providing cutting-edge solutions that safeguard digital identities.

To learn more about how HYPR can help your organization transition to more secure authentication methods and enhance your overall security posture, please contact us or schedule a demo today.