Google starts phasing out SMS with two-factor authentication

Google has announced that it will be inviting people who use two-factor authentication via SMS to an alternative. In addition, users can approve or block a login attempt via their smartphone after a notification.

Users will see an invitation to use the alternative in the coming weeks. They can then choose to continue using the method or revert to a verification code via SMS. If they choose the latter option, they will receive another invitation six months later. The alternate authentication method displays a notification on a smartphone screen asking if the user has just attempted to log in.

It is then possible to confirm the request or to block it. According to Google, the advantage is that this uses an encrypted connection and that people can see more details about the login attempt, such as the device and the location. According to the search giant, SMS is insecure because the messages and one-time codes are susceptible to phishing. Google previously indicated that it is working on ways to prevent this form of data theft.

The US National Institute of Standards and Technology, or NIST, wrote a year ago that it considers SMS unsuitable for two-step authentication. According to Google, the invitation will only be shown to people who now secure their account in this way. People who use a hardware key for this will not receive an invitation. For iOS users, the Search app must be installed. Google introduced the mobile authentication approvals about a year ago.