madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Google testing login authentication via QR codes

By | January 17, 2012, 10:18am PST

Summary: Instead of entering a Google Account password on public computers that might be infected with keystroke loggers, Google is experimenting with a phone-based authentication scheme.

Google has quietly tested a new login mechanism for users on public computers — authentication via QR codes scanned by mobile devices.

The phone-based authentication, spotted by the folks at Hacker News before it was pulled offline by Google, is a variation of the GMail two-step verification scheme.

Codenamed Sesame, the feature is aimed on computer users logging into GMail or other Google accounts on public computers in libraries or coffee shops because of the high risk of spyware/keyloggers on thos machines.

It lets users scan a QR code from a special Google Web page.  The QR code will return a Web page on the user’s phone and once that URL is tapped, the desktop browser will automagically redirect to the users’s logged-in Google Account without requiring a password.

Google’s Dirk Balfanz says it was an experiment that’s not yet ready for prime time:

We always work on improving authentication, and try out different things every now and then. We’re working on something that I believe is even better, and when that’s ready for a public trial we’ll let you know.

More discussion on this at Google+.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Google Inc., Authentication, Login Authentication, Security, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Talkback Most Recent of 5 Talkback(s)

  • RE: Google testing login authentication via QR codes
    See, that's kind of cool...until you lose your phone. Or the battery dies.
    ZDNet Gravatar
    Aerowind
    17th Jan
  • RE: Google testing login authentication via QR codes
    . .
    ZDNet Gravatar
    fm-usa
    17th Jan
  • RE: Google testing login authentication via QR codes
    Can't loose it if you TATTOO it on your forehead.
    ZDNet Gravatar
    fm-usa
    17th Jan
  • RE: Google testing login authentication via QR codes
    ANY form of 2FA is better than none. Google's effort to bring the mainstream into authentication here is laudable but, in my opinion, flawed. This is a convoluted process that requires multiple steps, a smartphone (shockingly, half of all phones in the US are still standard "feature" phones) to read the QR code and some agility to read the code properly.

    The flaw is based on the fact that in a battle between security and convenience, convenience wins. If users are forced into multiple steps to complete they'll simply turn that option off or go elsewhere.

    A 2FA method that is more secure uses a cell phone and text messaging but displays an alphanumeric code on the web page instead of a QR code and simply has the user text in the code from the cell phone which has been pre-registered and associated with that ID and password. When this approach is taken there is no open field on the web page to be hacked and the cell phone cannot be spoofed due to the UDID requirements and check at the carrier level.

    It seems unlikely that any of Google's QR code process is as simple to the user as just sending an SMS from their phone. Simple, fast and less hackable than other available methods.

    Finally, while this method is possible for a company with Google's resources it doesn't allow for downward scalability for smaller businesses. Implementation of security measures for SMEs is a hurdle to most methods. There's no conceivable way that Google's method could be transportable to smaller companies with any ease.

    Scott Goldman
    CEO - TextPower, Inc.
    ZDNet Gravatar
    TextPower
    18th Jan
  • RE: Google testing login authentication via QR codes
    Scoot - sounds like you are saying it is easier for the business and end user to telesign into an account that login with a QR code?
    ZDNet Gravatar
    clouddefender
    23rd Jan

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources