Checklist 413: Googling Good News
Google Phases Out SMS 2FA for More Secure QR Code Authentication
In a move to enhance online security, Google has announced that Gmail will discontinue SMS-based two-factor authentication (2FA) in favor of QR code-based authentication. The change, expected to roll out “over the next few months” aims to address long-standing security flaws associated with SMS authentication.
The Risks of SMS 2FA
The decision to move away from SMS-based authentication comes after years of warnings from cybersecurity experts. According to CNET, SMS 2FA is vulnerable to various attacks, including:
- SIM Swapping: Hackers can convince mobile carriers to transfer a victim’s phone number to a new device, giving them access to 2FA codes
- Message Syncing Risks: If text messages are synced with a laptop or tablet, a stolen device could expose authentication codes
- SS7 Attacks: Exploiting weaknesses in the Signaling System 7 (SS7) protocol allows attackers to intercept text messages and track phone locations
Despite these well-documented issues, Google has continued using SMS for 2FA—until now.
Why QR Codes?
Gmail spokesperson Ross Richendrfer told ZDNet that QR codes provide a more secure alternative:
- They eliminate numeric authentication codes, removing an easy target for scammers
- They bypass mobile carrier vulnerabilities, such as SIM swapping
- They align with modern user behavior, as QR codes have become more widely adopted
While Google encourages users to adopt stronger authentication methods like security keys or authenticator apps, the QR code approach is seen as a practical middle ground.
A Step in the Right Direction
Security experts acknowledge the shift as a positive move, though QR codes come with their own risks. Cybercriminals have been known to create fake QR codes leading to phishing sites—a concern discussed in Checklist podcast episodes 263, 340, and 391.
For now, Gmail users should prepare for the transition and consider switching to an authenticator app for added security.
Google Makes It Easier to Remove Personal Information from Search Results
In a major privacy-focused update, Google has announced improvements to its “Results About You” tool, allowing users to more easily request the removal of personal information from search results. The update, reported by TechCrunch and ZDNet, enables users to make removal requests directly from Google Search instead of navigating through buried settings.
How to Remove Personal Information from Google Search
Google now offers a streamlined process for requesting the removal of sensitive personal data:
- Perform a Google Search to check if your personal information appears in the results
- Click the three dots next to the search result
- Select a reason for removal, which may include:
- Personal information exposure (such as contact details)
- Legal concerns (such as copyright infringement or child abuse)
- Outdated information requiring a refresh
- Follow the on-screen instructions to complete the request
While removing a result from Google Search won’t erase it from the original website, many online directories offer separate opt-out options.
Proactive Monitoring for Personal Data
In addition to easier removal, Google is introducing a proactive monitoring feature. Users can sign up through the “Results About You” hub to receive notifications when their personal information appears online, allowing for faster action. Previously, the sign-up and monitoring tools were in separate locations, but Google has now centralized them for convenience.
Where Is This Available?
The updated removal tools and monitoring services are now available in major regions, including Australia, Brazil, Canada, France, India, Indonesia, Ireland, Mexico, South Africa, Spain, Sweden, Thailand, the U.K., and the U.S.
Google’s efforts to enhance privacy controls reflect growing concerns over online data exposure. While this won’t erase personal data from the internet entirely, it provides users with more control over what appears in search results.
