20.5k unique visitors in the last 3 days

Google Stops Demanding Users Give a Phone Number for SMS 2FA

A change of policy at the internet giant signals the inevitable decline of one time passwords sent by SMS.

All Google Workspace customers and users with a personal Google account, such as those created for Gmail, will no longer need to provide a phone number to authenticate themselves. Previously the business required a phone number be provided during the initial set-up of an account so that a one time password (OTP) could be communicated through an SMS message or a robocall. Now users can select another authentication method instead, such as an authenticator app, and thus avoid the need to ever provide a phone number.

Google’s announcement said nothing about the motives for the change other than stating it will ‘streamline the process’ of onboarding new users, and that it will make it easier for administrators to enforce their preferred authentication method across their organizations. The reality is that the change will reduce Google’s costs because they will need to pay for fewer comms with users. It also has the benefit of encouraging users to adopt more secure ways of demonstrating who they are. The overuse of A2P SMS for sending passwords has fueled the growth of a criminal industry dedicated to performing unauthorized SIM swaps.

A2P SMS has been a rare source of revenue and traffic growth for traditional comms providers buffeted by the permanent decline in billable voice minutes. That growth appears to be nearing an end per industry forecasts. Some of the blame lays with traffic that has been artificially generated by bots that create accounts on internet platforms solely because the OTPs will boost the profits of comms businesses that convey them. A recent article by Simeon Coney for Commsrisk highlighted the multiple methods being used to artificially inflate traffic. The problem of artificial traffic could ultimately lead to the demise of SMS, warns Michael Lazarou.

The death of SMS will not happen overnight because too many banks depend on it for authenticating customer transactions, but Google’s change in policy signals an acceleration in the switch to better ways of ensuring that only the right people have remote access to systems and services.

You can read Google’s announcement here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email