Sadly the article is very light on how this actually works. I’m guessing it involves setting up an authenticator on the phone (something they encourage anyway) and just using a QR code as a new way of reading a TOTP from it?
Google binning SMS MFA and replacing it with QR codes • The Register
Submitted 10 months ago by sabreW4K3@lazysoci.al to technology@beehaw.org
https://www.theregister.com/2025/02/25/google_sms_qr/
Comments
smeg@feddit.uk 10 months ago
megopie@beehaw.org 10 months ago
How am I supposed to scan a QR code sent to my phone… with my phone?
JackOverlord@beehaw.org 10 months ago
On Android you can use Google Lens or, if you don’t want to use Google products, any random QR code scanner from the Play Store.
No idea about iPhone as I’ve never owned one, but I’d assume most QR code scanners can do that as well.
hazelnoot@beehaw.org 10 months ago
I’m confused about how this is supposed to act as a second authentication factor 🤔
FiskFisk33@startrek.website 10 months ago
A guess/suggestion: a
You have an app with a private key. The qr code contains data encrypted with the corresponding public key. Your app decrypts the data and transmits it to googles servers, proving you are in possession of the secret key.
hazelnoot@beehaw.org 10 months ago
oh so it would just be app-based MFA but without using TOTP. That makes sense
Visikde@beehaw.org 10 months ago
Qrs don’t seem safe to me
Scanning a Qr allows the installation of malware apps so I can look at a restaurant menu, & ding my card for recurring charges?Hirom@beehaw.org 10 months ago
The devil’s in the details. And there aren’t much details in this article.
Moonrise2473@feddit.it 10 months ago
The real reason is that they want to save money on the text messages (outside of the US they need to pay $0.05 each time), not because they actually care about user security.
Like when xitter ran out of money and didn’t pay their sms bills and people were locked out of their accounts
lime@feddit.nu 10 months ago
i mean, it’s also a security issue. sms is plaintext all the way from them to you.
t3rmit3@beehaw.org 10 months ago
Also, it’s dead simple to send someone else (or tell them over the phone) 6 numbers, when you’re being phished. Much harder for people to send someone a QR code.