What Google Dropping SMS OTPs Means for Mobile Identity

March 2025

Telecoms & Connectivity

Georgia Allen

Research Analyst

Google has just shaken up its Gmail login process by announcing the removal of SMS one-time passwords (OTPs), replacing them with QR codes for identity verification. Given growing concerns over the security and cost of SMS OTPs, the move makes sense — but the switch to QR codes caught many off guard.

It’s worth noting that this update won’t affect everyone. Many users already rely on more secure options like passkeys or the Google Authenticator app, and they’ll continue to do so. The change primarily targets those still using SMS OTPs, which have long been criticised for their vulnerability to phishing and interception.

So, why now — and why QR codes?

Why Switch Now?

SMS OTPs have experienced high levels of fraudulent activity recently, impacting all stakeholders in the value chain, including mobile subscribers, enterprises and mobile operators. Fraudulent activity such as artificially inflated traffic (AIT) and SMS trashing attempts have led to diminishing trust in SMS as an authentication method; leaving stakeholders to seek alternative methods to verify their users. AIT and SMS trashing occurs when fraudulent players generate many fake accounts on a legitimate enterprise’s website, prompting two-factor authentication and thus a significant number of OTPs to be sent via SMS.

Additionally, the cost of A2P SMS has risen considerably in the last couple of years, with A2P SMS costs almost doubling in some regions. This has made authentication particularly costly for enterprises, with the combination of these increased costs and high levels of fraudulent activity intensifying the need for new forms of mobile identity.

Total Cost of AIT and SMS Trashing to Enterprises ($m) in 2024

Source: Juniper Research

Google’s decision, therefore, to replace SMS OTPs in their Gmail authentication processes is not a surprise, despite the dominance of SMS OTPs within mobile identity, and we anticipate that many enterprises and organisations will follow in this development.

Are QR Codes the Answer?

While Google’s switch from SMS OTPs for Gmail was an entirely expected move, the announcement that QR codes would be the new method to authenticate a user was less anticipated. QR codes have numerous benefits, including enhanced security through the requirement for the user to be present to scan the QR code, as well as removing the need for users to memorise often complex passwords. Furthermore, QR codes enable quick authentication and require little infrastructure from the enterprise; making them cost-effective. These benefits make them a viable alternative to the previously dominant SMS OTPs.

However, there are limitations when considering QR codes for mobile identity. The use of QR codes assumes a level of technology that not all users may have, as it depends on the user having a smartphone or device with camera and scanning capabilities. Also, it presumes that most users will be accessing their Gmail account on an alternative device from the one that is being used to scan the QR code, which with the demand for access to accounts on the go is unlikely. Therefore, the use of QR codes for mobility identity by Google risks alienating some users.

This switch exemplifies a wider market dynamic, with the issues surrounding SMS OTPs also prompting other organisations to follow a similar trend to Google. The consequence of this will be felt most significantly by mobile operators, who (as per our recent forecasts) received $22.3 billion in SMS OTP revenue globally in 2024. Stakeholders moving away from SMS OTPs as a mobile identity solution to non-operator billed methods provides a substantial threat to future mobile operator revenue streams.

Total Operator-billed Revenue from SMS OTPs ($m), Split by 8 Key Regions, 2025-2029

Source: Juniper Research

So, What's the Future of Mobile Identity?

Given Google’s significant investment and role in the development of rich communication services (RCS), Juniper Research was surprised that Google had opted for QR codes for Gmail authentication. Similar to SMS, RCS can be used for OTPs in authentication, and with Google’s involvement in the development of RCS, it would have seemed a natural progression to implement RCS OTPs into Gmail authentication methods.

RCS offers numerous advantages for mobile identity when compared to SMS, with RCS providing enhanced security through verified sender profiles and branded messaging capabilities. However, the lack of established reach with RCS proves to be a complexity in utilising it for mobile identity, with many mobile operators not yet supporting the messaging platform.

RCS has capabilities extending further than OTPs, with it enabling richer communications between enterprises and customers such as two-way conversations and enhanced graphics and images. Therefore, the developmental and commercial focuses for RCS were centred around marketing and conversational use cases, rather than OTPs.

Additionally, over the top (OTT) messaging platforms such as WhatsApp have a wide reach and are already utilised by some enterprises for OTP use cases, however with this service being provided by one of Google’s rivals, Meta, it explains why Google have not opted for this service for authentication.

In summary, Google’s decision to move away from SMS OTPs responds to the concerns surrounding SMS as an authentication channel, but there is yet to be a clear successor within mobile identity; with a range of options being explored by enterprises. In turn, Juniper Research’s recent mobile identity study predicted that application programming interfaces (APIs) which authenticate users silently in the background of the device, by utilising the mobile network, will replace SMS as the dominant form of mobile identity. This owes to the high level of security that silent authentication APIs offer and the user friendliness provided with a lack of user interaction. 

Georgia is a Research Analyst in Juniper Research’s Telecoms & Connectivity team, providing analysis on the emerging trends and latest developments in the telecommunications market. Her recent reports include Mobile Identity, AIT Prevention, and Robocall Mitigation & Branded Calling.