Updated: February 25, 2025
Like many a nerd, yesterday and today, I read a whole bunch of news on how Google intends to remove SMS as an option for 2-Factor Authentication (2FA) for Gmail accounts. On its own, this wouldn't be a biggie. Perhaps even a good thing. But the hailed replacement, in the form of QR codes, is an alarming development. Utter nonsense, if you ask me.
Indeed, I instantly felt compelled to write an article. Google hasn't announced the implementation of this solution yet. It might just be a fancy way of referring people toward authenticator apps. Which, again, is a good thing. Or, it could be an attempt make people even more subservient to the Google ecosystem, in the name of security. Or something else entirely. We shall see. But I want to address the supposed "benefits" of anything QR-related. Let's commence.
SMS are "insecure"
The techbros will tell you. They will tell you how SMS are sent in plain text and someone could intercept the codes. And that there have been SIM Swap attacks, whereby the legitimate owner's phone number was ported to some baddies without the user's knowledge. They will use these isolated cases as an example of a pending doom.
There are three reasons why this is hype:
- Most if not all of the people who were victims of SIM swaps were prominent public figures, and they most likely have a thousand other worries when it comes to surveillance and privacy. Those people are not you, me, or any other random peasant. Don't be rich, problem solved. Or if you are, then perhaps opt for a non-SMS-based 2FA/MA. Problem solved again, nothing new is needed.
- In almost every single case of SIM swap attacks, the focus is on the middle man. To get this working, there needs to be a willing employee, AKA a corrupt insider, who will assist in the process. No technology can defeat greed reinforced with a hefty bribe.
- This is an imposition of a largely American problem, a country that does not issue national ID to its residents. Or any other country that does not use national IDs. In most places, you have to physically show up somewhere, show your card, which has many unique details on it, and then, and only then, will your number be ported, or alike. This won't work against a bribe-happy employee, of course. Nor does it exonerate SMS. But it does reduce the chance of a random SIM swap based on nonsense details like your ZIP code or date or birth as "unique" identifiers. Also, if you look at all sorts of prominent hacks recently, you will encounter tons of cases where even employees of telcos and security companies handling super-sensitive data were duped and phished into handing over their credentials to critical systems, even with non-SMS-based 2FA and MFA systems in place. Again, technology cannot really ever fix this.
If someone can intercept this, you have a much, MUCH bigger problem at your hands.
What SMS is, it's simple and reliable. And it does not tie you into having a smartphone or mobile data. You can receive an SMS pretty much on anything with a SIM card, even a phone from 2005 if you want. And that's a very secure device nowadays, especially if not connected to the Internet. Many times more so than whatever smartphone you're using.
QR code means NO poor or old people allowed
To scan a QR code, you will most likely need a smartphone. The Californians will find it hard to believe, but poor people exist, and so do old people, both of which will not be able to afford and/or use complicated nerdy smartphone apps.
As an example, I know of a few banks that have adopted mobile apps with QR code scanning for authorization of various activities. And do you know how old people handle that? They show up, physically, at the branch, and queue until an employee can help them. Now, with companies being greedy, everything being offshored and/or handed over to "AI" bots, if you don't use a smartphone, your chances of interacting with the service become nil. Effectively, this is a big middle finger to anyone over 65 or not rich enough to go about with a brand new device.
Does this affect a huge percentage of people? Perhaps not. But if that's good enough to prune bits of "undesirables" from the society based on arbitrary tech decisions, well.
QR are "secure"
The techbros will tell you. No, they are not. They are the stupidest implementation of "security" EVER. It's an undecipherable pictogram. A magical, mystical thing for the illiterate. We're regressing from using human language and words to using hieroglyphs like it's 3,000 BCE. But hey, stupid people are easier to control, and they are much more profitable.
There's nothing good about QR codes except that they require a camera. Here are two recent example of how crappy this technology is. On my Nokia X10 phone, a system update destroyed the QR scanning for quite a while. Yes, even if I wanted, I couldn't scan anything. Amazing, right. On my Samsung A54, if you don't give Google Play Services EXTRA permissions, then you cannot scan QR codes with Google Authenticator, a completely separate app. A lovely, dystopian screenshot to boot:
You scan, and then what?
OK, let's assume for a second that this is the implementation. And? People can still be sent to phishing sites that will look like Gmail and have QR codes. And these sites will send the folks around the merry, evil Web just like before. Perhaps even with more ease. Remember, in many prominent hacks, the user supplied the baddies with the relevant 6-digit codes in real time, by inputting them into fields that looked just like the real thing. Again, technology cannot solve things like fear, panic, confusion, etc. If anything, OBSCURE technology only heightens these emotions, making people even more prone to making mistakes.
There's another possibility. This is just badly worded drama. Maybe this merely means you need to use a simple authenticator app that generates OTP codes. Well, that options exists, so there's no reason to do anything, or make any big announcement. The fallback is key, of course, but that's never really bothered tech companies and their shiny, move-fast nonsense (supposedly, SMS will still exist for some functions). Regardless, QR codes are pointless and useless. After all, QR codes in authenticator apps are merely seed hashes so the apps can generate relevant codes. They exist because "typing on a phone" is hard. Oh noes! Cry me a river. As the legendary basketball coach Zeljko Obradovic would say, paraphrasing: Which QR code? This QR code? This is joke, bre [sic].
And if it's a completely new thing, what then? Associate one phone with one account? That means less privacy, of course. Today, you don't really need to do anything on your phone if you want to Gmail about. You can use an authenticator app, never sync any codes anything to the cloud, use a completely separate account on your phone from whatever you use on the desktop, use multiple accounts, etc. I don't want to be too cynical, but this is a golden opportunity to force people to forever authenticate on their phones and surrender yet more of their pointless lives to the data overlords.
I don't know if this is going to be the case, but I have no reason to be optimistic. Look at the past fifteen years or so. Online accounts for everything, cloud cloud cloud nonsense everywhere, Manifest V3, ads, ad "privacy" and other useless dross. Everything designed to harvest yet more data from idiots, and make them yet more connected and hooked and reliant on the big companies. Why would this be any different?
The one tiny hope I have is that the European Union may force a certain level of privacy and anonymity into the equation. But that won't solve everyone's needs around the globe. And hopefully, there will be just enough resistance and noise so whatever replaces SMS is sane and useful and simple. I can only hope.
Conclusion
I don't mind Google trying to make logins more secure. Yes, 2FA using OTP codes generates by an offline app are better than SMS. But QR codes as a security concept are a million times worse. Similarly, taps are for idiots, passkeys are nonsense except for the ultra-committed geeks, and hardware keys make absolute sense for the professionals and high-profile individuals. For ordinary people, SMS was the simple and reliable option, and still is. Authenticator-like apps are good for people who are a bit more savvy and have enough money and knowledge to use a smartphone.
Removing SMS isn't just about technology - it's about society. Removing it effectively removes the poor and the old from the equation. That's financial and technological ostracism. But those people are not profitable anyway, they won't be "subscribing" to services or seeing ads, so who cares, right? Well, we still need to see what Google will do. Perhaps it's going to be something truly sensible and cool. Or not, at all. We shall see. Whatever it is, though, if it relies on QR codes, it's going to be awful, horrible, stupid, and pointless. Bye bye now.
Cheers.