Sadly the article is very light on how this actually works. I’m guessing it involves setting up an authenticator on the phone (something they encourage anyway) and just using a QR code as a new way of reading a TOTP from it?
Google binning SMS MFA and replacing it with QR codes • The Register
Submitted 5 months ago by sabreW4K3@lazysoci.al to technology@beehaw.org
https://www.theregister.com/2025/02/25/google_sms_qr/
Comments
smeg@feddit.uk 5 months ago
megopie@beehaw.org 5 months ago
How am I supposed to scan a QR code sent to my phone… with my phone?
JackOverlord@beehaw.org 5 months ago
On Android you can use Google Lens or, if you don’t want to use Google products, any random QR code scanner from the Play Store.
No idea about iPhone as I’ve never owned one, but I’d assume most QR code scanners can do that as well.
hazelnoot@beehaw.org 5 months ago
I’m confused about how this is supposed to act as a second authentication factor 🤔
FiskFisk33@startrek.website 5 months ago
A guess/suggestion: a
You have an app with a private key. The qr code contains data encrypted with the corresponding public key. Your app decrypts the data and transmits it to googles servers, proving you are in possession of the secret key.
hazelnoot@beehaw.org 5 months ago
oh so it would just be app-based MFA but without using TOTP. That makes sense
Visikde@beehaw.org 5 months ago
Qrs don’t seem safe to me
Scanning a Qr allows the installation of malware apps so I can look at a restaurant menu, & ding my card for recurring charges?Hirom@beehaw.org 5 months ago
The devil’s in the details. And there aren’t much details in this article.
Moonrise2473@feddit.it 5 months ago
The real reason is that they want to save money on the text messages (outside of the US they need to pay $0.05 each time), not because they actually care about user security.
Like when xitter ran out of money and didn’t pay their sms bills and people were locked out of their accounts
lime@feddit.nu 5 months ago
i mean, it’s also a security issue. sms is plaintext all the way from them to you.
t3rmit3@beehaw.org 5 months ago
Also, it’s dead simple to send someone else (or tell them over the phone) 6 numbers, when you’re being phished. Much harder for people to send someone a QR code.