Gmail Finally Abandoning SMS Verification, But Chose The Worst Alternative

QR Codes?  Seriously?

Google have made another less than wise decision for securing Gmail accounts, if the reporting at Ars Technica is correct.  Their current process for secondary verification of a login is an SMS text sent to the number associated with your Gmail account.  This is not a particularly secure way of handling MFA, as there are a variety of ways to intercept these unencrypted SMS messages.  They range from the SIM swap, where someone tricks or bribes your carrier to move your number to a new SIM card they have in their possession to, to interception of he message as it makes it way to your phone.  They can also simply call or text you to try to trick you into ‘verifying’ you received the correct code.

The rumour is that Google will replace Gmail’s SMS verification with a QR code you would need to scan to verify your login.  The first problem with this is the need to be able to scan a QR code, which not all phones can manage without the installation of often dodgy QR code scanning apps.  There is also the difficulty of scanning a QR code that is sent to your phone if you happened to trigger 2FA when checking mail on your phone.

The real problem is that humans cannot read QR codes, and this could lead to people being sent QR codes claiming to be from Google but are actually a phishing attack.  It would be simple to set up a page that looks exactly like the Gmail login screen and direct anyone who scans the QR code to there to enter their login information.  At that point the attacker would own your Gmail account. 

This may roll out in the next few months, but if you have already set up proper MFA for your Gmail account you won’t have to worry about this at all.  You might want to think about doing so if you haven’t.