Google wants you to stop using its SMS two-factor sign-in

SMS isn't secure, so Google will start pushing its users across to its prompt-based 2-Step Verification.
Written by Liam Tung, Contributing Writer

Anyone who uses SMS for two-step verification will soon see an invitation to try Google prompts when they sign in.

Image: Google

Starting next week, Google will make a significant step towards moving users off two-step verification sign-in delivered by SMS.

Google has continued to support SMS for two-factor authentication despite the National Institute of Standards and Technology last year deprecating it from its preferred list of out-of-band authentication methods.

The main reason for deprecating SMS is that it isn't safe. An attacker could, for example, con a mobile network operator to redirect the SMS to their phone. There are also numerous malicious Android apps that capture SMS codes sent from banks to users.

In place of SMS, Google will be pushing Android and iOS users towards its prompts-based 2-Step Verification (2-SV) sign in. Google launched this in June 2016, with a key advantage over SMS being that the process occurs over an encrypted connection.

In February, it also improved prompts with additional contextual information, such as the device, location, and time of the attempt to sign in to a Google account.

Starting next week Google will display an invitation to people who use 2-SV SMS to switch to prompts. Google isn't dropping support for familiar SMS just yet, but it is signaling it may eventually do so.

For now, Google is pitching the switch as a "better experience" for 2-SV. Users can chose to keep the prompt-based sign-in flow or opt out, however anyone that goes back to SMS will receive "follow-up notifications" after six months.

This presents no change for Android users, who can receive the prompts without an additional app. But iOS users who rely on SMS for Google 2-SV will need to install the Google Search app on their phone.

"Overall, this is being done because SMS text-message verifications and one-time codes are more susceptible to phishing attempts by attackers," Google explained.

"By relying on account authentication instead of SMS, administrators can be sure that their mobile policies will be enforced on the device and authentication is happening through an encrypted connection."

Read more on Google security

Editorial standards