All Google Workspace customers and users with a personal Google account, such as those created for Gmail, will no longer need to provide a phone number to authenticate themselves. Previously the business required a phone number be provided during the initial set-up of an account so that a one time password (OTP) could be communicated through an SMS message or a robocall. Now users can select another authentication method instead, such as an authenticator app, and thus avoid the need to ever provide a phone number.
Google’s announcement said nothing about the motives for the change other than stating it will ‘streamline the process’ of onboarding new users, and that it will make it easier for administrators to enforce their preferred authentication method across their organizations. The reality is that the change will reduce Google’s costs because they will need to pay for fewer comms with users. It also has the benefit of encouraging users to adopt more secure ways of demonstrating who they are. The overuse of A2P SMS for sending passwords has fueled the growth of a criminal industry dedicated to performing unauthorized SIM swaps.
A2P SMS has been a rare source of revenue and traffic growth for traditional comms providers buffeted by the permanent decline in billable voice minutes. That growth appears to be nearing an end per industry forecasts. Some of the blame lays with traffic that has been artificially generated by bots that create accounts on internet platforms solely because the OTPs will boost the profits of comms businesses that convey them. A recent article by Simeon Coney for Commsrisk highlighted the multiple methods being used to artificially inflate traffic. The problem of artificial traffic could ultimately lead to the demise of SMS, warns Michael Lazarou.
The death of SMS will not happen overnight because too many banks depend on it for authenticating customer transactions, but Google’s change in policy signals an acceleration in the switch to better ways of ensuring that only the right people have remote access to systems and services.
You can read Google’s announcement here.


