Starting in late 2025, Google began requiring QR code scans from an existing Android or iOS device for desktop account signups. The shift was confirmed by Google and reported by TechRadar as part of a broader move away from SMS-based authentication. Didn't matter what IP, what browser, what region. No SMS option. No email fallback. Only solution: just a camera pointed at a screen.
Quick Summary TLDR
Quick Summary TLDR
- 1Google's 2026 QR code requirement is triggered by passive TCP/IP fingerprinting (p0f), not IP reputation. The cleanest residential IP won't change the outcome.
- 2Desktop OS fingerprints (Windows, Linux, macOS) always get the QR code wall. Mobile OS fingerprints (iOS, Android) get SMS verification instead.
- 3We tested multiple proxy types, VPNs, and fingerprint configurations. The method that worked reliably: VoidMob dedicated 5G proxy with an iPhone p0f profile + AdsPower as macOS Safari + carrier-native DNS.
- 4Google reads the iPhone TCP fingerprint + macOS Safari browser fingerprint as hotspot tethering, the most natural Apple ecosystem scenario. This stack consistently got SMS verification in our testing.
- 5Each account needs its own dedicated proxy endpoint, AdsPower profile, and carrier-based phone number. Rotating IPs during the first 72-hour trust-building window was the most common cause of account lockouts we saw.
For anyone running Google multi-account management workflows at scale, this change broke existing setups. We tested residential mobile proxies, premium VPNs, UK and Japanese exit nodes. None of them got past the QR code wall from a desktop connection. Multilogin's 2026 documentation confirms the same wall affecting their entire user base. If you're coming from the broader guide on creating accounts without a phone number, this is the 2026-specific wall that changed the game.
Here's what most guides still get wrong: this isn't about IP reputation. Google's detection runs deeper, down at the TCP/IP fingerprint level. Understanding why Google requires the QR code for new account signups is the first step toward finding a bypass that actually holds up.
Why Every Proxy and VPN Failed: The p0f Problem
Here's what's actually happening at the network level.
Google uses passive OS fingerprinting, commonly known as p0f, to classify incoming connections before the signup page even fully renders. p0f analyzes TCP SYN packet characteristics: initial TTL values, window size, MSS, TCP options ordering, and the DF bit. Each operating system leaves a distinct signature in these values. Windows 10 looks different from Windows 11, Linux looks different from macOS, and critically, iOS looks different from all of them.
When Google's system detects a desktop OS fingerprint (Windows, Linux, standard macOS), it routes the signup flow to QR code verification. When it detects a mobile OS fingerprint, specifically iOS or Android, it offers SMS verification instead. That's it. That's the whole decision tree at this layer.
The cleanest residential IP on earth won't change this. If the TCP fingerprint says "Windows," it's a QR code. Modern bot detection systems operate at multiple layers simultaneously. FingerprintJS's 2025 analysis documents this multi-layered approach combining server-side TLS fingerprints, client-side JS attributes, and cross-verification. But p0f operates before any of that JavaScript even runs.
| Attempt | Proxy Type | OS Fingerprint | Result |
|---|---|---|---|
| #1 | Home ISP (US) | Windows 10 | QR code wall |
| #2 | Shared residential (DE) | Windows 11 | QR code wall |
| #3 | Datacenter (US) | Linux | QR code wall |
| #4 | Rotating mobile (UK) | macOS Ventura | QR code wall |
| #5 | Mobile proxy (generic) | iOS 17 (partial) | SMS prompt, Messages deep link dead end |
| #6 | VoidMob 5G dedicated (US) | iPhone p0f | SMS prompt, OTP received, account created |
The Partial Success That Revealed Everything
Attempt #5 failed, but it revealed the actual bypass mechanism.
We tried a generic mobile proxy provider that offered what they called "iOS fingerprinting." It partially worked. Google's signup page actually showed the SMS verification option instead of the QR code. The first time in our entire testing sequence.
But then a completely different wall appeared. Google sent the verification through an iMessage-style deep link that tried to open Apple's Messages app directly. On a desktop browser, even one spoofing mobile Safari, there's no Messages app to open. The whole flow dead-ended at an "Open in Messages" prompt with no fallback to a standard SMS OTP input field.
So the iOS p0f fingerprint was clearly the key to bypassing the QR code at the network layer. But the browser fingerprint needed to match a device that could plausibly receive SMS through a standard input field, not an app deep link.
That pointed directly to the macOS Safari combination.
The Working Method: iPhone Network + macOS Browser
The combination works because of how Google splits verification logic across layers.
macOS Safari is a desktop browser that shares Apple's ecosystem identity. Google's system sees an iPhone TCP fingerprint at the network layer (mobile device, so SMS verification eligible) combined with a macOS Safari browser fingerprint at the application layer (desktop Safari, so standard SMS input field instead of Messages deep link).
"iPhone at the network layer, macOS Safari at the browser layer. Google reads it as hotspot tethering, the most natural multi-device scenario in Apple's ecosystem."
Google's verification logic reads this as someone on an iPhone hotspot browsing from their Mac, one of the most common multi-device scenarios in Apple's ecosystem. No flags raised. This is consistent with how browser fingerprinting works in practice: platforms cross-reference network-layer signals against application-layer signals, and any inconsistency is a detection trigger.
What You'll Need
Before starting, make sure you have:
- A VoidMob account with a dedicated 5G proxy endpoint (not shared/rotating)
- AdsPower antidetect browser (or similar with full fingerprint control)
- A carrier-based phone number for SMS verification (not VoIP)
Exact Setup: AdsPower + VoidMob 5G Proxy
Proxy Configuration:
On VoidMob's dashboard, provision a dedicated 5G mobile proxy with these specifics:
- Carrier: Any major US carrier works (T-Mobile, Verizon, AT&T). We used Verizon (ASN 6167, CELLCO-PART) for our testing
- p0f profile: iPhone 12 (this is the critical setting. Most proxy providers don't expose this)
- DNS: Carrier-native (do NOT override with Google DNS or Cloudflare)
- IP rotation: disabled
Carrier-native DNS is worth keeping. A real iPhone on Verizon uses Verizon's DNS resolvers by default. Overriding with 8.8.8.8 or 1.1.1.1 won't break anything on its own, but it's one more detail that doesn't match the "iPhone tethering on carrier" profile you're trying to present. The goal is fingerprint consistency across every layer, and DNS is part of that stack. See the carrier-native DNS deep dive for a full breakdown of why this matters.
AdsPower Browser Profile:
1 { 2 "os": "macOS", 3 "browser": "Safari 17.4", 4 "screen_resolution": "1440x900", 5 "language": "en-US", 6 "timezone": "America/New_York", 7 "webrtc": "disabled", 8 "canvas_noise": true, 9 "webgl_vendor": "Apple", 10 "webgl_renderer": "Apple M2", 11 "proxy_type": "SOCKS5", 12 "proxy_host": "[your-voidmob-endpoint]", 13 "proxy_port": "[assigned-port]", 14 "dns_override": "none" 15 }
WebRTC Must Be Fully Disabled
Set WebRTC to "disabled," not just "replace." Any WebRTC leak exposes the actual machine's OS and blows the fingerprint consistency wide open. Use VoidMob's WebRTC leak test to verify before running any signup sessions.
Browser Choice Is Critical
Do NOT use Chrome or Firefox fingerprints. Google's deep link behavior changes based on detected browser. Only macOS Safari consistently receives the standard 6-digit SMS OTP input field instead of the Messages app redirect.
Creation-to-Maintenance Workflow
The actual signup flow is straightforward once the fingerprint stack is right:
- Launch AdsPower profile with the config above
- Navigate to accounts.google.com/signup
- Fill standard registration fields
- When SMS verification appears (not QR code), use a non-VoIP US carrier number for Google SMS verification. SMS verification provides real carrier numbers from the same dashboard, no separate provider needed
- Enter the 6-digit OTP
- Complete account setup, add recovery email (not another Google account)
- Stay logged in for 15+ minutes, perform 3-4 normal searches
- For subsequent logins over the next 72 hours, use the same AdsPower profile and same proxy endpoint
- After the trust-building window, you can move to a shared mobile proxy for cost efficiency (sticky sessions only)
After consistent fingerprinting over a 72-hour window, Google's trust score for the account stabilizes. Subsequent logins become much less sensitive to exact fingerprint matching.
Troubleshooting Common Issues
Still getting QR code prompt: Almost always a p0f mismatch. This was the root cause in the majority of our failed attempts. Use VoidMob's fingerprint test to check canvas, WebGL, and device signals before testing the proxy's TCP fingerprint using a local p0f instance. If the fingerprint reads as Linux or Windows, the proxy provider isn't actually modifying the TCP stack. They're just changing the User-Agent header, which does nothing at this layer.
SMS prompt appears but redirects to Messages app: The browser fingerprint is set to iOS Safari (mobile) instead of macOS Safari (desktop). Change the browser profile OS from iOS to macOS while keeping the proxy's p0f as iPhone. Small difference in configuration, completely different result.
OTP never arrives: Number quality issue. VoIP numbers face 60-80% rejection rates on platforms with fraud detection. Google accepts the number but never sends the code. Carrier-based numbers only. For a full breakdown of how platforms identify VoIP numbers at the signal level, see the guide on avoiding VoIP detection.
Account locked after 24 hours: In our experience, this typically came down to fingerprint inconsistency between the creation session and the first re-login. The same AdsPower profile should be used for the first 72 hours, with the same proxy endpoint. Rotating IPs during the trust-building window is a common mistake when setting up Google multi-account management at scale.
One Profile Per Account
For Google multi-account management, each account should have a separate AdsPower profile with its own dedicated VoidMob proxy endpoint. Sharing proxy endpoints across accounts creates cross-contamination signals that Google's linking algorithms detect within days. The guide on building privacy-centric digital fingerprints covers the full isolation stack.
FAQ
1Why does Google require a QR code for new accounts in 2026?
Google's stated reason is security: QR code verification ties new accounts to an existing authenticated device. The underlying mechanism uses p0f passive fingerprinting to determine device class. Desktop connections get QR code. Mobile connections get SMS. It's a device trust decision, not an IP trust decision.
2Can residential proxies bypass Google's QR code verification?
No. Residential proxy IP quality is irrelevant to this specific check. Google's QR code decision happens at the TCP/IP fingerprint layer before IP reputation even enters the picture. A bypass requires modifying the actual TCP stack fingerprint to appear as a mobile device.
3Does this method bypass Google OTP entirely?
No, and that's actually the point. SMS OTP is the fallback verification method Google offers to mobile devices instead of QR codes. A successful QR code bypass means getting routed to SMS verification, which is completable without a physical phone nearby.
4What makes VoidMob's proxies different from other mobile proxies for this use case?
Configurable p0f fingerprinting. Most mobile proxy providers route traffic through mobile carrier IPs but don't touch TCP stack characteristics. VoidMob's dedicated 5G proxies allow selecting specific device p0f profiles (iPhone, Samsung, Pixel), which is what Google's detection actually reads. That distinction matters more than any other proxy feature for this use case.
5How many Google accounts can be created with this method?
Each account needs its own dedicated proxy endpoint, unique AdsPower profile, and separate phone number. The technical limit comes down to available proxy endpoints and phone numbers, not any rate limit in the method itself.
Why p0f Is the Key to Google Account Creation in 2026
Google's 2026 QR code requirement isn't going away. If anything, more platforms will adopt similar device-class detection in the coming months. Cloudflare's bot management documentation already describes TCP fingerprinting as a standard signal, and Meta's account creation flow has shown similar patterns in how it classifies device types at the network layer.
We went through multiple proxy types, VPN configurations, and browser fingerprint combinations before landing on this method. The iPhone TCP fingerprint plus macOS Safari browser fingerprint plus clean carrier IP was the only stack that reliably bypassed the QR code wall in our testing.
The detection layer most people don't know exists is p0f. Address it and the QR code wall disappears.
A Note on Longevity
This method was tested and verified as of March 2026. Google can update its p0f signature mapping or verification logic at any time. If the method stops working, the most likely cause is a change in how Google classifies device fingerprints, not an issue with the proxy or browser configuration itself. We'll update this post if the landscape shifts.