Conversation

***** Regarding Google's announcement regarding ending use of SMS for account recovery, and moving to QR codes *****

I've received a lot of queries about the #Google announcement that they're moving away from SMS and want to use QR codes for account recovery and likely other purposes such as 2-factor authentication. A lot of people are concerned about how this will affect people without smartphones or in many cases even Internet connections except in specific locations (e.g. libraries, where they'd likely be using desktop systems often without cameras needed to deal with QR codes).

While improving security is certainly important, and we know the security vulnerabilities of SMS, the reality is that the same groups of users who are routinely disadvantaged by Google's account recovery procedures -- and often are locked out of their accounts inappropriately -- could be hurt yet again by a QR-code-centric approach.

However, it's a bit too early to panic about this. I have already directly communicated my concerns about this situation to the relevant parties at Google, and have received a response saying that they consider my concerns valid and that this is only the start of the process to determine the best way to improve security taking into account the very diverse characteristics of Google's users.

What this will actually mean in practice is unknowable right now of course, but I will endeavor to stay in the loop on this matter to the maximal extent possible.

L