Open sesame: Google's no-password log-in

Google has launched a new method for users to gain access to their accounts by using a trusted device to verify the log-in request.

update Google has launched a new method for users to gain access to their accounts by using a trusted device to verify the log-in request.

After scanning a QR code, users are prompted to authorise the log-in.
(Screenshot by Michael Lee/ZDNet Australia)

Although Google hasn't yet announced the feature's official name, it has been dubbed Sesame by many due to its URL, which Google likely picked as a reference to the famed phrase, "Open sesame". Users will need a Google account, a mobile device that is already logged in to their account, a QR code reader and, of course, a computer that they want to log in to.

Navigating to presents users with nothing more than a QR code, which expires after a few minutes. After scanning it on a mobile device and navigating to the URL contained in it, users are asked on their mobile device whether they want to give the computer access to their account.

Sesame then redirects to the user's Gmail or iGoogle page, depending on the option picked by the user.

The idea behind Sesame is that it prevents keyloggers from stealing your username and password, although, if a computer is insecure enough to have one installed, it may have larger problems.

Google's two-factor authentication is also circumvented, allowing users to log in without entering their six-digit token, but it could be argued that this wouldn't provide any additional security, since the mobile device being used to authorise the log-in would be the same one with the token. However, this could be a concern if users don't use Sesame as intended.

Users can easily find the URL embedded into the QR code by viewing the source code of the Sesame page. This can then be sent to a logged-in user on another computer, rather than a mobile device, to eliminate the second security factor. To Google's credit, users are provided with a highlighted warning informing them that if they did not scan a barcode, then they should not proceed.

It's worth noting that at no stage is the user's password ever revealed, making it impossible for a user granted permission this way to change the account's password. Additionally, by using Google's session-management tool in Gmail, users can revoke logged-in sessions.

Google has since pulled the feature offline, as it had originally intended it to be an experimental feature and wasn't ready for wider adoption.

"It was missing a few features that a non-'experimental' version for the general public would have had, such as an easier way to discover the QR-code log-in page and a more streamlined user experience on the phone (typing passwords into phones is not fun). But most importantly, we had only dedicated very few resources to running this experiment, and would rather spend our time developing a solution that doesn't have the above-mentioned omissions, than scaling up the experiment in its current form," wrote Dirk Balfanz, a software engineer in Google's security team.

According to Balfanz, who currently works on Google's OpenID and Open Authentication implementations, Google is working on something better, and the experiment was only meant to be used to study the usability of alternate log-in mechanisms.

Updated at 3.04pm, 18 January 2012: Google has now concluded the experiment.

Show Comments