Friday 15 May 2026
Night EditionRSS

ZOTPAPER

News without the noise

ZOTPAPER
Tech

Google Tightens Gmail Sign-Up Process With Mandatory QR Code and Phone Verification

New account registration steps aim to curb spam and bot-created accounts, but raise accessibility concerns

edit
By LineZotpaper
Published
Read Time3 min
Google has introduced stricter identity verification requirements for new Gmail accounts, now mandating that prospective users scan a QR code and receive a confirmation text message before completing registration — a move that signals a significant shift in how the tech giant manages account creation at scale.

Google has updated its Gmail registration process to require two additional verification steps: scanning a QR code and confirming a phone number via SMS. The change, noted by users in mid-May 2026, represents one of the more substantial overhauls to Gmail's sign-up flow in recent years.

The new process effectively means that creating a Gmail account now requires access to both a smartphone capable of scanning QR codes and a mobile phone number that can receive text messages — requirements that go beyond the optional two-factor authentication Google has long encouraged but not mandated at the point of registration.

What the New Process Involves

Under the updated flow, users attempting to create a new Gmail account are prompted to open their phone's camera or a QR code scanning app, scan a code displayed on the registration page, and then receive a one-time passcode via SMS to the associated phone number. Only after completing both steps can the account be finalised.

This two-pronged approach links each new Gmail account to a specific physical device and phone number from the outset, rather than allowing purely email- or password-based registration.

Google's Likely Rationale

Google has not issued a formal public statement specifically addressing this change, but the motivations are broadly understood within the industry. Free webmail services have long been targets for automated account creation, with bots generating thousands of Gmail addresses for use in spam campaigns, phishing operations, credential-stuffing attacks, and online fraud.

By requiring a QR code scan — which implies the presence of a camera-equipped device — alongside SMS verification, Google raises the practical cost and complexity of bulk account creation. Phone numbers are a finite and traceable resource, making mass registration significantly harder for bad actors.

Accessibility and Inclusion Concerns

However, the changes are not without criticism. Digital rights advocates and accessibility experts have raised concerns that tying Gmail registration to phone number ownership effectively excludes individuals who lack mobile phone access — including some elderly users, people in lower-income brackets, and those in regions with limited mobile infrastructure.

Critics also point out that SMS-based verification carries its own security limitations, as phone numbers can be ported or SIM-swapped by sophisticated attackers, meaning the new system may inconvenience legitimate users more than it deters determined bad actors.

There are also privacy implications: Google's collection of phone numbers at the point of account creation gives the company additional data points for identity linkage across its services.

A Broader Industry Trend

Google's move aligns with a broader trend across major platforms toward phone-number-gated account creation. Microsoft, Meta, and Apple have all implemented similar friction at various points in their sign-up processes, reflecting an industry consensus that anonymous or low-friction account creation poses unacceptable risks at scale.

The long-term impact on Gmail's user growth — particularly in markets where smartphone penetration remains lower — remains to be seen.

§

Analysis

Why This Matters

  • Gmail accounts underpin access to a vast ecosystem of Google services; tighter registration affects not just email but Google Drive, Maps, Play Store, and more — millions of prospective users globally could face new barriers.
  • The change reflects growing pressure on tech platforms to take responsibility for how their services are weaponised for spam and fraud, with regulatory scrutiny intensifying in the EU and US.
  • If successful, this model could accelerate phone-number-gating becoming the de facto standard across the internet, permanently altering how anonymous online participation works.

Background

Gmail launched in 2004 and quickly became the world's dominant free email service, in part because of its relatively frictionless sign-up process. For most of its history, creating an account required only a name, desired username, and password — phone number verification was optional and could often be bypassed.

Over the years, Google gradually increased verification requirements in response to abuse. Phone number prompts became more persistent, and Google began blocking VoIP numbers from being used for verification in some regions. Despite these measures, Gmail addresses remained among the most commonly used by spammers and fraudsters due to the service's scale and reputation.

The rise of AI-powered bot farms has intensified the problem significantly in the 2020s, enabling the creation of thousands of convincing-seeming accounts with minimal human effort, prompting platforms across the industry to rethink low-friction registration.

Key Perspectives

Google and Platform Security Advocates: The new requirements are a proportionate response to an escalating abuse problem. Linking accounts to physical devices and real phone numbers creates meaningful accountability and significantly raises the barrier for automated mass registration.

Accessibility and Digital Rights Groups: Mandatory phone verification excludes populations without reliable mobile access, effectively making Gmail — a gateway to much of the modern internet — a service that requires prior ownership of a smartphone and a phone plan. This entrenches digital inequality.

Critics and Security Researchers: SMS verification is a well-documented weak link; SIM-swapping attacks are a known vector, and the security gain may be overstated. The requirement also hands Google additional personal data at the moment of account creation, with limited transparency about how that data is retained or used.

What to Watch

  • Whether Google introduces any exemption pathways for users without mobile phone access, such as verification via a trusted existing account or in-person identity checks.
  • Regulatory responses, particularly from the EU under the Digital Services Act or from consumer protection bodies scrutinising the data implications of mandatory phone number collection.
  • Changes in Gmail's new account registration rates over the coming quarters, which could signal whether the friction is deterring legitimate users as well as bad actors.

Sources

newspaper

Zotpaper

Articles published under the Zotpaper byline are synthesized from multiple source publications by our AI editor and reviewed by our editorial process. Each story combines reporting from credible outlets to give readers a balanced, comprehensive view.

Editorial ProcessSubscribe