Google testing login authentication via QR codes

Google testing login authentication via QR codes

Summary: Instead of entering a Google Account password on public computers that might be infected with keystroke loggers, Google is experimenting with a phone-based authentication scheme.

TOPICS: Security, Google

Google has quietly tested a new login mechanism for users on public computers -- authentication via QR codes scanned by mobile devices.

The phone-based authentication, spotted by the folks at Hacker News before it was pulled offline by Google, is a variation of the GMail two-step verification scheme.

Codenamed Sesame, the feature is aimed on computer users logging into GMail or other Google accounts on public computers in libraries or coffee shops because of the high risk of spyware/keyloggers on thos machines.

It lets users scan a QR code from a special Google Web page.  The QR code will return a Web page on the user's phone and once that URL is tapped, the desktop browser will automagically redirect to the users's logged-in Google Account without requiring a password.

Google's Dirk Balfanz says it was an experiment that's not yet ready for prime time:

We always work on improving authentication, and try out different things every now and then. We're working on something that I believe is even better, and when that's ready for a public trial we'll let you know.

More discussion on this at Google+.

Topics: Security, Google

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Google testing login authentication via QR codes

    See, that's kind of cool...until you lose your phone. Or the battery dies.
  • RE: Google testing login authentication via QR codes

    . .
  • RE: Google testing login authentication via QR codes

    Can't loose it if you TATTOO it on your forehead.
  • RE: Google testing login authentication via QR codes

    ANY form of 2FA is better than none. Google's effort to bring the mainstream into authentication here is laudable but, in my opinion, flawed. This is a convoluted process that requires multiple steps, a smartphone (shockingly, half of all phones in the US are still standard "feature" phones) to read the QR code and some agility to read the code properly.

    The flaw is based on the fact that in a battle between security and convenience, convenience wins. If users are forced into multiple steps to complete they'll simply turn that option off or go elsewhere.

    A 2FA method that is more secure uses a cell phone and text messaging but displays an alphanumeric code on the web page instead of a QR code and simply has the user text in the code from the cell phone which has been pre-registered and associated with that ID and password. When this approach is taken there is no open field on the web page to be hacked and the cell phone cannot be spoofed due to the UDID requirements and check at the carrier level.

    It seems unlikely that any of Google's QR code process is as simple to the user as just sending an SMS from their phone. Simple, fast and less hackable than other available methods.

    Finally, while this method is possible for a company with Google's resources it doesn't allow for downward scalability for smaller businesses. Implementation of security measures for SMEs is a hurdle to most methods. There's no conceivable way that Google's method could be transportable to smaller companies with any ease.

    Scott Goldman
    CEO - TextPower, Inc.
  • RE: Google testing login authentication via QR codes

    Scoot - sounds like you are saying it is easier for the business and end user to telesign into an account that login with a QR code?