
Login to your Google account by scanning a QR code - dannyr
https://accounts.google.com/sesame
======
dannyr
Got it from a Google+ post.

[https://plus.google.com/103943309878727777440/posts/DCdBqZX3...](https://plus.google.com/103943309878727777440/posts/DCdBqZX3bvQ)

====================

remember this url: <https://accounts.google.com/sesame> . next time you want
to check your gmail on a public computer, don't trust even the incognito
window because an installed keylogger can record your keystrokes, which
unsurprisingly, include your password. use your phone to scan the qrcode on
the sesame web page and hit the resultant url -- the desktop browser will
automagically redirect to your logged-in gmail without entering your password.
yes, i think you do need an android phone with a properly configure google
account for this to work.

====================

~~~
baby
I've always been scared about keyloggers in internet coffees or public
computers in university/hotels. I really wonder if there's a way around.
Especially since, if you can scan this with your cellphone it supposes you
have internet on your cellphone.

~~~
lell
Here's a trick: as you are typing in your l/p, click somewhere on the screen
to defocus the textbox and then type some random characters and then click
back on the textbox. And also type random characters into the textbox, and
then select them with the mouse and overwrite them with correct characters. Do
this a bunch. Almost all keyloggers just log all key strokes, then people scan
for stuff that looks like "john@example.comLkd98/x,". There's still the chance
that your internet cafe has a more sophisticated logger on it. But if you do
this you've made a real step to fight keyloggers in internet cafes.

~~~
myared
This, along with copying a character from the clipboard, won't defeat most
keyloggers. The only kind you would be fooling would be a hardware keylogger.
Your best bet is two step authentication.

~~~
baby
Care to explain why it wouldn't defeat most keyloggers? My knowledge of this
is that when you look at the log created by the keylogger you just see a bunch
of keystrokes but you have no way to tell if they were typed in the same
field.

The two step identification doesn't work if you don't have internet on your
phone right?

------
thought_alarm
After poking around a bit, it looks like the original URL is
<http://goto.google.com/login> which redirects to the somewhat more obscure
<http://accounts.google.com/sesame>

My question is, what is <http://goto.google.com> anyway? It looks like a
Google employee portal.

------
edlea
If you're on an untrusted computer, the network is by definition also
untrusted.

What happens if the computer has a hacker's self-signed certificate for
<https://accounts.google.com> installed and the hacker sets up a man-in-the-
middle style attack?

The hacker's browser asks Google for a QR code and it gets sent to your
browser. When you scan the code and authorise from your phone, the hacker's
browser would be logged into your Google account.

~~~
mike-cardwell
This is supposed to secure you on an untrusted computer. It doesn't. There are
loads of attacks still. The moment you log in, the attacker has access to your
account because they control the browser you're using.

What it protects against is basic key logging attacks (software and hardware).
These are the most likely attack you can expect to see, so protecting against
them has real life value.

The safest thing you can do is never use an untrusted machine to access
important accounts.

------
ot
Wait, if my phone can access the Internet, why would I use an untrusted
computer to access GMail?

I can't see a compelling use case for this. It would be more useful to have my
phone generate a one-time password without requiring to be connected.

~~~
nl
Cost provides some compelling use-cases.

If you are overseas, roaming costs are crazy. I'd consider paying them to
download a single .png (QRCode) and then use an untrusted computer.

~~~
mseebach
The QR code is displayed on the unsecure connected computer. Your phone
network is used to perform the login, so it very little data.

A logical next step would be an app that can streamline the auth a bit (have
your username prefilled from the Android account) and send the auth to Google
via SMS (often easier and cheaper than getting started with dataroaming).

------
Aissen
Stop ! If you're on an untrusted machine, this is untrusted, too. It should be
pretty easy to install alternative certificates, MITM this page, and serve you
a bad QR code that will give access to your account to a someone else.

They might not be able to change your password (if you have 2-factor auth),
but they could read/forward all your mail, delete documents, etc.

This isn't enough to work on untrusted computers on untrusted networks (but
it's still damn useful for fast-login).

~~~
sc00ter
> MITM this page, and serve you a bad QR code

You're then reading the QR code on what is assumed to be a trusted device on a
trusted network (your mobile phone). The QR code would have to link to a bogus
website mascarding as google in order to intercept your username & password.
It requires a degree of vigilance on the part of the user at this point to
ensure that the login page is genuinely google, but anyone using this auth
mechanism must be reasonable security conscious to start with.

By your assertion, the only solution is to not use untrusted computers /
networks at all. In the event that you have to this is one way to do so more
securely.

~~~
thedufer
This is not what he's talking about. Someone could open the sesame page on
another computer, and use MITM to serve that code to you. Then, you're giving
someone else access instead of yourself when you log in on your phone.

If you're this distrustful, don't use the computer. This entry only seems to
prevent keylogging attacks.

~~~
Aissen
Thanks for explaining what I meant in simpler terms.

------
runjake
I don't have much to add, other that this QR code is a timed one-time pad, so
it expires rather quickly.

Visit the site and leave it open for a few minutes, and you'll get an
expiration popup. So, people aren't going to be rummaging through the cache or
snapping a screenshot at the cafe and going home and logging in as you.

------
rpledge
This is very similar to what I've been working on at qrauth.com

Glad to see my concept isn't too off the wall

~~~
megamark16
Looks cool, but your about page is broken. Please fix so I can find out more
About your project :)

~~~
rpledge
Oops, I guess I missed a file when I pushed. I'll try and fix it later today.
Basically I'll provide an iPhone app that will read the code, check the
signature and authenticate the device/user account. The idea is that a single
iPhone app can be used to log into many different web sites (or be used as a
second factor authentication). It's still "pre-alpha" for sure.

~~~
irunbackwards
You might find some inspiration from duosecurity, who uses QR codes during
their setup process. (Don't know if they're using them for auth, yet.)

------
ComputerGuru
Doesn't support multiple accounts yet. Unfortunately, the only way of dealing
with multiple Google accounts (for instance, personal and work) remains to use
two different browsers or two different browser profiles.

On iPhone, the process isn't as smooth. You'll be taken to a web-based login
page to enter your account info. However, it seems to be buggy as if you're
logged into one account on your desktop and another account on your mobile
weird stuff happens.

~~~
tjoff
_On iPhone, the process isn't as smooth. You'll be taken to a web-based login
page to enter your account info._

Isn't that how its supposed to work? That's how it works on my Nexus S. Much
hassle... Would be better to have an app that does that automatically (since
android is pretty much always logged in but the phone browser pretty much
never is).

------
deepuj
Sweet! Seeing a genuine use of QR code for the first time.

~~~
Leynos
My favourite usecase for QR codes are the links to a web site showing realtime
bus arrival times you see at bus stops that don't yet have a realtime arrivals
sign up. You can type the web address in manually too, of course, but the QR
code is much more convenient.

------
kpi
Great use case for QR codes.

------
_djo_
The service has been shut down for now. If you try to access the URL, this
text is all that's there:

 _Hi there - thanks for your interest in our phone-based login experiment.
While we have concluded this particular experiment, we constantly experiment
with new and more secure authentication mechanisms.

Stay tuned for something even better!

Dirk Balfanz, Google Security Team._

------
hamvocke
Seems like it has been shut down. The site currently only provides a message
that this has been an experiment:

 _While we have concluded this particular experiment, we constantly experiment
with new and more secure authentication mechanisms._

 _Stay tuned for something even better!_

------
resnamen
Wow! This is sweet, but I wish Google had an even shorter URL for it.

~~~
sp332
Try loging in to <http://goo.gl/> and paste the accounts.google.com/sesame
link. You'll get your own shortened link.

------
ghostDancer
Something similar: <http://bidikey.com/en/bidikey-videos>

------
sylvanaar
Remember to log out manually when you are done. Just closing the browser isn't
enough.

------
roadnottaken
it's kind of neat to re-load the QR-code quickly -- you can see that some
parts are refreshed constantly, while other parts only refresh every few
seconds. Presumably this has to do with the expiration behavior...

~~~
krallja
The actual contents of the QR code is the following URL:

[https://accounts.google.com/sesame/uc?s=vlrPimUVe5-LGarBtJxU...](https://accounts.google.com/sesame/uc?s=vlrPimUVe5-LGarBtJxU3k1hwik)

The `s` parameter is changed with every refresh, but the majority of the URL
remains constant.

------
ecesena
Now closed... broken or really an experiment!?

