Google is trying, but authentication is still terrible

jerry.hildenbrand@futurenet.com (Jerry Hildenbrand)
2025-02-28 13:08:00
www.androidcentral.com

Google is working to change the SMS code authentication used to sign into a Google account to have you scan a QR code. Besides the several severe flaws with this idea, it’s still good that Google is trying to make proving who we are a little more streamlined and less nerdy. If it weren’t such a pain to do it, more services would offer MFA (multi-factor authentication), and more of us would use it.

Google’s not alone here. Microsoft, Apple, and organizations like the FIDO Alliance are working on the issue, too. These companies know that it’s something that benefits everyone, and it needs to be done in a simple yet effective way.

Before discussing Google’s new idea, you need to know what authentication is. I can tell you who I am and that is me providing my identity. That will never change and I will always be me even if I change my name. I’m still this person.

But sometimes I need to prove it and authenticate that I am who I say I am because it’s super easy for me to lie. You don’t want Joe Random to have access to your bank or other online account so proof is mandatory.

There are three types of authentication, and for a service to be secure it needs to use at least two. Using two methods lowers the chance that I’m someone else just trying to get into Jerry’s account.

Knowledge: Something only the real Jerry would know, like a password or a PIN.
Ownership: Something only the real Jerry has, like an ID card or a software token on a phone.
Inherence: Something the real Jerry is or does, like supplying a fingerprint or a retina scan.

You’ll always need to use a password or PIN for one type of authentication, but for something to be considered secure, you need to use one of the other two types. That’s where things can get messy.

Google Lens Search with your camera function

(Image credit: Android Central)

Google thinks it would be better and easier to show you a QR code you can scan to supply proof of ownership than send you an SMS message. It would definitely be more secure because SMS messages aren’t difficult to spoof or “hack” into.

It also has two potential problems I can spot: it can require two devices and may only work seamlessly if you use an up-to-date Android phone. I’ll give you a worst-case example:

I buy a new iPhone 16 Pro Max, and I want to sign into my Gmail account. I can’t use an authenticator app because I need access to set one up or switch to a new one in my Google account, so I have to use the fallback method. Google then shows me a QR code. A QR code on the screen of the only device I have and the one I’m trying to use to sign into my account. Can you spot the problem here?

The secondary problem is, what if I do have a QR code scanner on my new iPhone and scan the code? What happens next? If I have an Android phone with the latest version of Google Services installed, the process can be whisked away and handled automatically. It could be done through something like Google Lens or even Circle to Search, so it works with one device.

Since I am trying to do this on my iPhone, I just have to use the fallback for the fallback and get an SMS. SMS authentication is insecure, but it’s necessary. It makes sense to use this for Android phones and a Google account. Not so much for other devices.

This is the real problem with authentication. It’s always going to require some extra steps, and those extra steps can be a pain in the you-know-what. Using your fingerprint scan — something that never changes and is your identity, not a means of authentication — was a big step towards making all this less messy. Unfortunately, you can’t use the fingerprint until you have it set up and Gmail doesn’t support using it to get into your account for the first time.

I don’t know how you “fix” this, but I do know that really smart people are working on it. We’ve seen things progress from an on-device keychain that holds auth methods to fingerprint scans, to Passkeys, and now QR codes. Keeping SMS as a fallback option is smart, too, because every device with a phone number can get one.

Google still has yet to reveal all the details of how this will work, so we will likely hear more about it before it rolls out. In any case, we have reached out to Google for more information and will update this article when we hear back.

I think this will be fixed, even though I don’t know how. Then, we will have to wait until every service we want to use adopts safe and simple authentication methods.

Source Link

Keep your phone secure and easily accessible in your car with the Miracase Phone Holder for Your Car! This Amazon Best Seller is designed for easy installation and holds your phone firmly in place, ensuring a safe and convenient driving experience.

With a 4.3/5-star rating from 29,710 reviews, it’s a top choice for drivers! Plus, over 10,000 units sold in the past month! Get it now for just $15.99 on Amazon.

Start your free Amazon Prime trial
today and unlock unlimited streaming and more!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!

BITCOIN

Bitcoin Logo