Earlier this year, Dutch National Research and Education Network SURFnet released a two-factor authentication solution based on apps for iOS and Android and QR codes in open source. This solution differs from Google's in that it's a challenge response based token (like a DigiPass or RSA SecurID).
The solution is called tiqr and the apps are available for free from the app store. More information, the source code and a demo can be found on https://tiqr.org/
Google’s QR code experiment seems to have been concluded, with a promise of new security features to come.
The method was similar to Google’s two-step log-in process introduced in February 2011. The secure access method requires you to enter your password as well as a unique short code generated by a ‘trusted device’, such as your smartphone, in order to log-in to your account.
Both the QR code access method and two-step verification system added another layer of security to our personal accounts, but the former method made things easier and quicker — on the basis you owned a smartphone.
How you were able to do it:
- Go to accounts.google.com/sesame on your computer and you will see a QR code for a particular URL generated by Google.
- Use a QR reader app and scan the QR code on your phone or tablet. Following this, type the username and password of your Google account.
- Now you can click ‘Start with Gmail’ or ‘Start with iGoogle’ and the service is ready to go.
The experiment has now been concluded (whether most users knew it was an experiment in the first place is debatable), with a statement replacing the QR code login method:
Hi there — thanks for your interest in our phone-based login experiment.
While we have concluded this particular experiment, we constantly experiment with new and more secure authentication mechanisms.Stay tuned for something even better!
Dirk Balfanz, Google Security Team.
If you’re logging in on a computer using public Wi-Fi, it is a safer method to use QR code based log-in systems, as the entire exchange can’t be recorded, and keylogging is ineffective. You need to be logged in to Google on your phone, but at least in theory this is safer than using an unknown, public computer system.
This may be the reason why Google never announced the log-in method on a public level. Although it wasn’t a fullproof method of keeping account details safe, it did come in handy for the short time it existed if you had to rely on public computers. What do you think is coming next?
Image credit: Emmanuel Digiaro/Flickr
Related:
