Hacker News new | past | comments | ask | show | jobs | submit login
Login to your Google account by scanning a QR code (accounts.google.com)
208 points by dannyr on Jan 16, 2012 | hide | past | favorite | 66 comments

Got it from a Google+ post.



remember this url: https://accounts.google.com/sesame . next time you want to check your gmail on a public computer, don't trust even the incognito window because an installed keylogger can record your keystrokes, which unsurprisingly, include your password. use your phone to scan the qrcode on the sesame web page and hit the resultant url -- the desktop browser will automagically redirect to your logged-in gmail without entering your password. yes, i think you do need an android phone with a properly configure google account for this to work.


I've always been scared about keyloggers in internet coffees or public computers in university/hotels. I really wonder if there's a way around. Especially since, if you can scan this with your cellphone it supposes you have internet on your cellphone.

Here's a trick: as you are typing in your l/p, click somewhere on the screen to defocus the textbox and then type some random characters and then click back on the textbox. And also type random characters into the textbox, and then select them with the mouse and overwrite them with correct characters. Do this a bunch. Almost all keyloggers just log all key strokes, then people scan for stuff that looks like "john@example.comLkd98/x,". There's still the chance that your internet cafe has a more sophisticated logger on it. But if you do this you've made a real step to fight keyloggers in internet cafes.

This, along with copying a character from the clipboard, won't defeat most keyloggers. The only kind you would be fooling would be a hardware keylogger. Your best bet is two step authentication.

Care to explain why it wouldn't defeat most keyloggers? My knowledge of this is that when you look at the log created by the keylogger you just see a bunch of keystrokes but you have no way to tell if they were typed in the same field.

The two step identification doesn't work if you don't have internet on your phone right?

If I was writing one I'd just be logging posted form fields with a transparent proxy, almost seems easier than a key logger.

Except that doesn't work if the form posts to a HTTPS URL. You'd have to implement something at the browser level, e.g. installing a modified browser or a browser extension.

It is possible to perform a MITM attack on HTTPS when you can install any certificates you want in the web browser.

For google, I turned on two-factor authentication. The provide an iOS/Android/Blackberry app that acts like a secureId (provides a different security code every 30 seconds).

The phone app could be also be used for your own projects. It supports multiple accounts and either manual or QR-code based configuration.

Google provides a PAM module so you can add 2-factor auth to ssh. And it is easy to implement the standard on the server side, if you want to add 2-factor auth to your web app.

For more info, see:


google also offers two-factor authentication

I switched from Gmail to FastMail partly because they offer neat features like one-time passwords. (Two-factor auth with SMS - which FM also has - is nice but not always convenient/possible.)

You choose a "base password" (different from your master password) and it then generates 100 one-time passwords that you can print out and put in your wallet. So to login, the password you enter is "<base password><one-time password>". Works great. You can also make it restricted so that one-time logins can't delete anything, or change any options.

Gmail supports 2-factor authentication as well: http://support.google.com/accounts/bin/static.py?hl=en&t...

It works by requiring your normal password, plus a one time password that can either be SMS'd to your phone, generated by an Android app, or one on a list that you've pre-printed and keep in your wallet.

Cool, didn't know you could pre-print lists. I think I prefer the FastMail way though. With Google, as I understand it, 2-step authentication is either on or off; you have to use it all the time, or not at all. (Application-specific passwords are an exception but not relevant to the issue with keyloggers and public computers.) With FM, you can always sign in with just your master password, _or_ totallydifferentpassword+one-time-password (and you can have multiple sets of alternative logins).

I don't want to deal with 2-step authentication on devices I trust (e.g., my encrypted laptop). I could switch it on and off every now and then, but with Google I'd always be typing my normal password (for me, generated by KeePassX and impossible to memorize) when doing the 2-step thing, right?

The "Remember me" feature works normally. There's a "remember this computer for 30 days" option that sets a cookie on the computer so that you aren't prompted for the one-time password again, just your regular one (if "Remember me" is turned off).

I actually really like this idea of a one time password being equivalent to a remembered session based on a cookie.

You get read only access with your OTP, and if you want to do something destructive or otherwise important, log in again with stricter authentication.

Making all of your account available all of the time from one basic login seems like quite a bad idea for a sensitive account.

You can sign in without username and password to OpenID enabled sites with your smartphone and Mepin; https://www.mepin.com/

> i think you do need an android phone with a properly configure google account for this to work.

Works fine on my iPhone with RedLaser to scan the QR. It just redirects to Safari which "remembers" my login info.

Also works fine with Google's iOS app.

yes, i think you do need an android phone with a properly configure google account for this to work.

That's not the case. Presumably accessing the QRCode generates a single use URL, which you can access in the computer browser. There is no client side logic.

(Also, Google generally ships stuff on both iOS and Android)

(Also, it goes against Google's interest to restrict Google account features to Android)

This works just fine from my Windows Phone.

> There is no client side logic.

There have to be some though. I.e. you have to be logged in to Google on your phone.

Naw, you can technically scan this link w/ another laptop using its webcam.

Works fine on my windows phone; remembers my login info from IE.

That seems particularly open to abuse.

Couldn't I just link someone to a copy of the QR code and be automagically logged in as them?

It raises an approval screen on the phone. It says

By proceeding, you give another computer access to the following accounts: * blah@gmail.com

STOP! Only proceed if you arrived at this page by scanning a login barcode at google.co. Otherwise, do not proceed!

(start with GMail) (start with iGoogle)

Ah, I see. Thanks for adding that info

There's a bright highlighted warning that says "STOP! Only proceed if you arrived this page by scanning a login barcode at google.com. Otherwise, do not proceed!"

Will users read the warning? I would—and did—it really grabs your attention given the fact its background is yellow and takes up so much of the iPhone screen.

I suppose there are probably other safeguards as well, given that this is Google—maybe timed expiration?

I left the page open and after finished reading comments (a minute or two) in HN, the page gave me this popup dialog:

[Alert] Login session has expired. Press Ok to reload.

This + 2 Factor-Authentication = Pretty Damn Secure.

but those two are different things. They are not complimentry (from what i understand)

I assume it is valid for only a short period like the code generated from the Google Authenticator app.

After poking around a bit, it looks like the original URL is http://goto.google.com/login which redirects to the somewhat more obscure http://accounts.google.com/sesame

My question is, what is http://goto.google.com anyway? It looks like a Google employee portal.

If you're on an untrusted computer, the network is by definition also untrusted.

What happens if the computer has a hacker's self-signed certificate for https://accounts.google.com installed and the hacker sets up a man-in-the-middle style attack?

The hacker's browser asks Google for a QR code and it gets sent to your browser. When you scan the code and authorise from your phone, the hacker's browser would be logged into your Google account.

This is supposed to secure you on an untrusted computer. It doesn't. There are loads of attacks still. The moment you log in, the attacker has access to your account because they control the browser you're using.

What it protects against is basic key logging attacks (software and hardware). These are the most likely attack you can expect to see, so protecting against them has real life value.

The safest thing you can do is never use an untrusted machine to access important accounts.

It protects against exactly one more type of vulnerability than the normal login method, so it's still better.

Wait, if my phone can access the Internet, why would I use an untrusted computer to access GMail?

I can't see a compelling use case for this. It would be more useful to have my phone generate a one-time password without requiring to be connected.

There are other Google Apps that don't work as great on a mobile device. Try Docs on an iPhone, for example. Also, imagine you need to print out a 30 MB PDF that somebody just emailed to you.

Not enamored with QR codes as a solution, though; I still maintain that the vast majority of Americans have no idea what they are and find them, in general, to be a gimmicky pain in the rear. I agree that what you described would actually be more useful, but also probably harder to do (offline = native app).

Google do already provide a set of one-time passwords for those using two-factor auth. I've already added them to a document on my phone for precisely that purpose.

Cost provides some compelling use-cases.

If you are overseas, roaming costs are crazy. I'd consider paying them to download a single .png (QRCode) and then use an untrusted computer.

The QR code is displayed on the unsecure connected computer. Your phone network is used to perform the login, so it very little data.

A logical next step would be an app that can streamline the auth a bit (have your username prefilled from the Android account) and send the auth to Google via SMS (often easier and cheaper than getting started with dataroaming).

Some people prefer keyboards?

I'll be using this in the morning to easily log into all my gmail accounts from work. When I leave work I have a logoff script that clears all my cookies. This logs me into all gmail accounts that I am logged into on my phone without having to log in several times.

Stop ! If you're on an untrusted machine, this is untrusted, too. It should be pretty easy to install alternative certificates, MITM this page, and serve you a bad QR code that will give access to your account to a someone else.

They might not be able to change your password (if you have 2-factor auth), but they could read/forward all your mail, delete documents, etc.

This isn't enough to work on untrusted computers on untrusted networks (but it's still damn useful for fast-login).

> MITM this page, and serve you a bad QR code

You're then reading the QR code on what is assumed to be a trusted device on a trusted network (your mobile phone). The QR code would have to link to a bogus website mascarding as google in order to intercept your username & password. It requires a degree of vigilance on the part of the user at this point to ensure that the login page is genuinely google, but anyone using this auth mechanism must be reasonable security conscious to start with.

By your assertion, the only solution is to not use untrusted computers / networks at all. In the event that you have to this is one way to do so more securely.

This is not what he's talking about. Someone could open the sesame page on another computer, and use MITM to serve that code to you. Then, you're giving someone else access instead of yourself when you log in on your phone.

If you're this distrustful, don't use the computer. This entry only seems to prevent keylogging attacks.

Thanks for explaining what I meant in simpler terms.

I don't have much to add, other that this QR code is a timed one-time pad, so it expires rather quickly.

Visit the site and leave it open for a few minutes, and you'll get an expiration popup. So, people aren't going to be rummaging through the cache or snapping a screenshot at the cafe and going home and logging in as you.

This is very similar to what I've been working on at qrauth.com

Glad to see my concept isn't too off the wall

Looks cool, but your about page is broken. Please fix so I can find out more About your project :)

Oops, I guess I missed a file when I pushed. I'll try and fix it later today. Basically I'll provide an iPhone app that will read the code, check the signature and authenticate the device/user account. The idea is that a single iPhone app can be used to log into many different web sites (or be used as a second factor authentication). It's still "pre-alpha" for sure.

You might find some inspiration from duosecurity, who uses QR codes during their setup process. (Don't know if they're using them for auth, yet.)

Doesn't support multiple accounts yet. Unfortunately, the only way of dealing with multiple Google accounts (for instance, personal and work) remains to use two different browsers or two different browser profiles.

On iPhone, the process isn't as smooth. You'll be taken to a web-based login page to enter your account info. However, it seems to be buggy as if you're logged into one account on your desktop and another account on your mobile weird stuff happens.

On iPhone, the process isn't as smooth. You'll be taken to a web-based login page to enter your account info.

Isn't that how its supposed to work? That's how it works on my Nexus S. Much hassle... Would be better to have an app that does that automatically (since android is pretty much always logged in but the phone browser pretty much never is).

Seems like dasherization is always google's last priority...

Sweet! Seeing a genuine use of QR code for the first time.

My favourite usecase for QR codes are the links to a web site showing realtime bus arrival times you see at bus stops that don't yet have a realtime arrivals sign up. You can type the web address in manually too, of course, but the QR code is much more convenient.

Great use case for QR codes.

The service has been shut down for now. If you try to access the URL, this text is all that's there:

Hi there - thanks for your interest in our phone-based login experiment. While we have concluded this particular experiment, we constantly experiment with new and more secure authentication mechanisms.

Stay tuned for something even better!

Dirk Balfanz, Google Security Team.

Seems like it has been shut down. The site currently only provides a message that this has been an experiment:

While we have concluded this particular experiment, we constantly experiment with new and more secure authentication mechanisms.

Stay tuned for something even better!

Wow! This is sweet, but I wish Google had an even shorter URL for it.

Try loging in to http://goo.gl/ and paste the accounts.google.com/sesame link. You'll get your own shortened link.

Remember to log out manually when you are done. Just closing the browser isn't enough.

it's kind of neat to re-load the QR-code quickly -- you can see that some parts are refreshed constantly, while other parts only refresh every few seconds. Presumably this has to do with the expiration behavior...

The actual contents of the QR code is the following URL:


The `s` parameter is changed with every refresh, but the majority of the URL remains constant.

Now closed... broken or really an experiment!?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact