The Buddy System: Why Google is Finally Killing SMS Authentication
In The Simpsons episode Bart vs. Lisa vs. the Third Grade (Season 14, Episode 3), the students of Springfield Elementary pile onto a school bus for a field trip from Capitol City. Their third grade teacher, wanting to make sure no one gets left behind, implements the Buddy System—pairing each student with a partner who will watch out for them. If one gets lost, the other is supposed to report it. But when Bart and Lisa, assigned to each other, get into a fight and miss the bus back, the teacher does a headcount and asks the students if anyone is missing a buddy. Silence. Not a single child raises their hand.
Satisfied, she smiles. “Ah, the Buddy System,” she says, “foolproof.”
Of course, it wasn’t foolproof at all. The entire system fell apart because it assumed that one buddy would always be there to vouch for the other. But when both were compromised, the system failed completely. And that, in a nutshell, is why Google is finally abandoning SMS-based two-factor authentication (2FA) for Gmail.
For years, SMS-based authentication has been marketed as an extra layer of security, a way to keep hackers out of accounts even if passwords are stolen. We have all seen and used SMS based authentication schemes. We visit a website, and receive a text to our phone with a four or six digit number which we then input back into the website (or automatically input because the number is extracted from the text). But security experts have known the truth all along: SMS authentication is not a second factor at all. It’s just another password, one that attackers can steal as easily as the first.
Multi-factor authentication (MFA) and multi-channel authentication (MCA) are often confused, but they serve different purposes in securing accounts. MFA requires authentication from two or more distinct categories of security factors—something you know (a password), something you have (a physical device or security key), or something you are (biometric data like a fingerprint or facial recognition). The key requirement is that these factors must be independent so that compromising one does not automatically compromise the other.
Multi-channel authentication (MCA), on the other hand, refers to using different communication channels for authentication—for example, receiving a password via email and a one-time code via SMS. While MCA can improve security by separating verification methods, it does not guarantee independence between authentication factors. If an attacker gains control over multiple channels—such as through a SIM swap or email compromise—MCA can be rendered useless. The SMS authentication scheme is a form of multi-channel authentication — a password or PIN (something you have) sent through a separate channel (the SMS system). If, to access the SMS message, you had to input your own PIN or use facial recognition (something you know, something you are), this would be multi-FACTOR authentication. The best systems are BOTH multi-factor and multi-channel – provided of course that the channels and factors are truly independent of each other. They rarely are.
Like the Buddy System on the school bus, it looks secure until both factors fall into the wrong hands. Then, it’s worse than no security at all, because it gives people a false sense of protection while making them easier to exploit.
The Fatal Flaw in SMS Authentication
For years, tech companies have relied on SMS-based authentication under the assumption that a phone number is a physical possession—something only the account owner can control. But that assumption is completely false. Hackers have been exploiting SIM swap fraud for over a decade, using it to hijack phone numbers and take over accounts. The attack is simple but devastatingly effective:
A hacker, armed with some stolen personal information, contacts the victim’s mobile carrier. They pretend to be the account holder, claiming their phone was lost or stolen. With enough convincing, the carrier transfers the victim’s phone number to a new SIM card controlled by the attacker. Or the hacker accesses the computers assigning IMEI numbers, and reprograms their phone to act as the victim’s phone. A SIM swap. Additionally, SS7 vulnerabilities inherent in the phone system’s infrastructure can be exploited to redirect SMS messages to the threat actors. From that moment on, all SMS messages—including authentication codes—are sent to the hacker’s device instead of the real account holder’s.
And that’s where everything falls apart.
With SMS authentication, the hacker can reset the victim’s Gmail (or other email) password, using the stolen phone number to receive the verification code. Once inside the email account, they can dig through messages for login details to other services, like online banking or cryptocurrency exchanges. Many of those services also use SMS or email-based authentication, creating a chain reaction where the hacker controls both factors at the same time.
The moment a hacker has both the password and the second factor, the entire security system collapses. It’s the digital equivalent of Bart and Lisa both missing the bus—except instead of being stranded on a field trip, the victim is locked out of their accounts, their money is stolen and their identity is hijacked. A breakdown in one factor leads to a breakdown in all other factors. So two factor authentication quickly becomes one factor authentication, and then no factor authentication. What’s worse, for things like stolen cryptocurrency, the exchanges often have terms of service or terms of use that not only restrict the ability of users to sue for losses, but also claim that they provide no warranty whatsoever. Caveat emptor.
Google Finally Pulls the Plug
For years, Google allowed SMS-based authentication as a fallback security method, even as experts warned about its flaws. But as SIM swap fraud exploded, it became clear that SMS was doing more harm than good. On February 24, 2025, Google confirmed to Engadget that Gmail would officially stop using SMS for two-factor authentication, replacing it with QR codes.
“We want to move away from sending SMS messages for authentication,” Gmail spokesperson Ross Richendrfer told reporters. “SMS codes are a source of heightened risk for users, and we’re pleased to introduce an innovative new approach to shrink the surface area for attackers and keep users safer from malicious activity.”
The shift to QR codes eliminates many of the weaknesses of SMS. There’s no text message to intercept, no phone number to hijack and no way for a hacker to trick a mobile carrier into giving them access. Instead, the verification process happens entirely on the user’s own device, making phishing and SIM swap attacks significantly harder. At least for now. As a Duke University study showed, fake QR codes can direct users to fake websites where they can be prompted to provide real credentials. Again, like SMS messages, the problem is not just spoofing – it’s that the spoofing can create the illusion of security.
This move away from SMS is part of a broader industry trend. Tech companies have been slowly phasing out SMS authentication in favor of more secure methods, including:
Authenticator apps (Google Authenticator, Authy)
Hardware security keys (YubiKey, Titan Security Key)
Biometric authentication (Face ID, fingerprint scans)
Passkeys and FIDO-based authentication
Each of these options offers true multi-factor authentication—where a hacker can’t simply steal both factors at once. But they can still steal one, and use that one to steal the other. Part of the problem is that we design authentication systems (rightly) for failure. We prioritize (righty) access over security. If I forget my password, or the facial recognition is not working, we want to have the ability to reset the password or bypass the authentication. Once we do that, we break the security.
Why SMS Authentication Stuck Around for So Long
If SMS authentication was so flawed, why did it take this long for companies like Google to abandon it?
The answer lies in money.
SMS is big business for phone companies — and others. When the National Institute of Standards and Technology (NIST) first attempted to deprecate SMS authentication, mobile carriers fought back hard. They weren’t motivated by security concerns—they were protecting a revenue stream.
SMS authentication messages generate revenue for telecom companies because they are classified as Application-to-Person (A2P) messages, meaning they are sent by businesses rather than individuals. Unlike Person-to-Person (P2P) texts, which may be covered under unlimited texting plans, A2P messages are billed at a per-message rate, typically ranging from $0.002 to $0.05 per message, depending on the telecom provider and the volume of messages sent. Since companies like Google, Facebook and banks send billions of SMS authentication messages per year, this adds up to a significant revenue stream for telecoms. In 2022 alone, it was estimated that the global A2P messaging market was worth $60 billion, with authentication messages making up a large portion of that. Major telecom providers, such as AT&T, Verizon and T-Mobile, have profited heavily from this system, which is why they resisted efforts by NIST and security experts to phase out SMS authentication.
Many companies do not interact directly with telecom providers. Instead, they rely on A2P (Application-to-Person) messaging aggregators like Twilio, Sinch, Infobip and MessageBird, which route authentication messages efficiently and negotiate bulk rates with carriers. These intermediaries charge companies for SMS delivery, taking a cut before paying telecoms. For example, Twilio made over $4 billion in revenue in 2023, largely from SMS services, while Sinch processed nearly 600 billion messages that same year, generating billions in revenue. Eliminating SMS-based authentication cuts into this revenue stream, which is one reason why the telecom industry has been slow to acknowledge its security flaws.
In addition to telecoms and aggregators, some companies provide authentication as a service—offering businesses secure login solutions that include SMS, but also more advanced MFA options. Major players include Google, Microsoft, Okta, Duo Security (owned by Cisco) and Auth0 (owned by Okta). These companies sell authentication services as part of enterprise security solutions, often charging businesses subscription fees or per-user licensing costs for their MFA technology. Okta, a leading identity provider, generated over $2.2 billion in revenue in 2023, much of it from authentication and identity verification services. Unlike A2P providers, who rely on SMS traffic volume, authentication service providers make money by selling security solutions that businesses use to protect their employees and customers.
We Want to Pump – You Up
SMS traffic pumping, also known as artificial traffic inflation or toll fraud, is a scam in which fraudsters manipulate online services into sending large volumes of SMS messages to premium-rate phone numbers they control. These schemes are often orchestrated by cybercriminal groups or even corrupt telecom operators in certain regions, who register high-cost phone numbers and then generate fraudulent authentication requests or sign-up attempts that trigger SMS messages. Each time a verification code is sent to one of these numbers, the fraudsters receive a portion of the termination fees—the charges paid by companies like Google, Facebook or banks to telecom providers for delivering SMS messages. Since authentication systems automatically resend codes after failed attempts, attackers can amplify the fraud, tricking services into sending thousands of messages and racking up enormous fees. This type of fraud costs companies millions of dollars annually, as they must pay for every outgoing message, even if it never reaches a legitimate user. To combat this, major tech companies have been increasingly moving away from SMS authentication, as the cost of fraud and abuse outweighs the benefits of using SMS as a verification method.
But as SIM swap fraud became more common and more damaging, tech companies could no longer ignore the problem. The cost of security breaches and user complaints outweighed the financial convenience of sticking with SMS.
Google’s decision to pull the plug on SMS authentication marks the end of an era. Other companies are likely to follow, and within a few years, SMS authentication may disappear entirely.
A Broken System
For years, users believed that SMS authentication was protecting them. But in reality, it was just security theater—a flawed system that looked strong while leaving millions vulnerable. Google’s shift away from SMS is a long-overdue correction, a recognition that a security system that can be easily bypassed isn’t security at all. Among other authentication schemes, Google has announced that it intends to use QR authentication.
QR code authentication works by replacing traditional SMS-based authentication with a secure, device-based verification process that reduces the risk of interception or SIM swap fraud. When a user attempts to log in to an account, instead of receiving a one-time password (OTP) via SMS, the system generates a unique QR code displayed on their computer screen. The user then scans the QR code with their mobile phone’s camera using an authentication app (such as Google Authenticator, Microsoft Authenticator, or a dedicated app provided by the service). The app reads the QR code, verifies the authentication request and prompts the user to confirm their identity—often using biometric verification like Face ID or fingerprint scanning. Thus, there are two factors used locally. Once confirmed, the authentication process is completed securely, granting access without needing a text message or password entry. Since QR codes are tied to the user’s device and require real-time scanning, they are resistant to phishing, SIM swaps and other remote attacks, making them a somewhat more secure alternative to SMS-based authentication.
Like the Buddy System in The Simpsons, SMS authentication was only foolproof if everything went right. But when both “buddies” could be compromised at the same time, the entire system was doomed to fail.
