remember this url: https://accounts.google.com/sesame . next time you want to check your gmail on a public computer, don't trust even the incognito window because an installed keylogger can record your keystrokes, which unsurprisingly, include your password. use your phone to scan the qrcode on the sesame web page and hit the resultant url -- the desktop browser will automagically redirect to your logged-in gmail without entering your password. yes, i think you do need an android phone with a properly configure google account for this to work.
I've always been scared about keyloggers in internet coffees or public computers in university/hotels. I really wonder if there's a way around. Especially since, if you can scan this with your cellphone it supposes you have internet on your cellphone.
Here's a trick: as you are typing in your l/p, click somewhere on the screen to defocus the textbox and then type some random characters and then click back on the textbox. And also type random characters into the textbox, and then select them with the mouse and overwrite them with correct characters. Do this a bunch. Almost all keyloggers just log all key strokes, then people scan for stuff that looks like "john@example.comLkd98/x,". There's still the chance that your internet cafe has a more sophisticated logger on it. But if you do this you've made a real step to fight keyloggers in internet cafes.
This, along with copying a character from the clipboard, won't defeat most keyloggers. The only kind you would be fooling would be a hardware keylogger. Your best bet is two step authentication.
Care to explain why it wouldn't defeat most keyloggers? My knowledge of this is that when you look at the log created by the keylogger you just see a bunch of keystrokes but you have no way to tell if they were typed in the same field.
The two step identification doesn't work if you don't have internet on your phone right?
Except that doesn't work if the form posts to a HTTPS URL. You'd have to implement something at the browser level, e.g. installing a modified browser or a browser extension.
For google, I turned on two-factor authentication. The provide an iOS/Android/Blackberry app that acts like a secureId (provides a different security code every 30 seconds).
The phone app could be also be used for your own projects. It supports multiple accounts and either manual or QR-code based configuration.
Google provides a PAM module so you can add 2-factor auth to ssh. And it is easy to implement the standard on the server side, if you want to add 2-factor auth to your web app.
I switched from Gmail to FastMail partly because they offer neat features like one-time passwords. (Two-factor auth with SMS - which FM also has - is nice but not always convenient/possible.)
You choose a "base password" (different from your master password) and it then generates 100 one-time passwords that you can print out and put in your wallet. So to login, the password you enter is "<base password><one-time password>". Works great. You can also make it restricted so that one-time logins can't delete anything, or change any options.
It works by requiring your normal password, plus a one time password that can either be SMS'd to your phone, generated by an Android app, or one on a list that you've pre-printed and keep in your wallet.
Cool, didn't know you could pre-print lists. I think I prefer the FastMail way though. With Google, as I understand it, 2-step authentication is either on or off; you have to use it all the time, or not at all. (Application-specific passwords are an exception but not relevant to the issue with keyloggers and public computers.) With FM, you can always sign in with just your master password, _or_ totallydifferentpassword+one-time-password (and you can have multiple sets of alternative logins).
I don't want to deal with 2-step authentication on devices I trust (e.g., my encrypted laptop). I could switch it on and off every now and then, but with Google I'd always be typing my normal password (for me, generated by KeePassX and impossible to memorize) when doing the 2-step thing, right?
The "Remember me" feature works normally. There's a "remember this computer for 30 days" option that sets a cookie on the computer so that you aren't prompted for the one-time password again, just your regular one (if "Remember me" is turned off).
yes, i think you do need an android phone with a properly configure google account for this to work.
That's not the case. Presumably accessing the QRCode generates a single use URL, which you can access in the computer browser. There is no client side logic.
(Also, Google generally ships stuff on both iOS and Android)
(Also, it goes against Google's interest to restrict Google account features to Android)
There's a bright highlighted warning that says "STOP! Only proceed if you arrived this page by scanning a login barcode at google.com. Otherwise, do not proceed!"
Will users read the warning? I would—and did—it really grabs your attention given the fact its background is yellow and takes up so much of the iPhone screen.
I suppose there are probably other safeguards as well, given that this is Google—maybe timed expiration?
If you're on an untrusted computer, the network is by definition also untrusted.
What happens if the computer has a hacker's self-signed certificate for https://accounts.google.com installed and the hacker sets up a man-in-the-middle style attack?
The hacker's browser asks Google for a QR code and it gets sent to your browser. When you scan the code and authorise from your phone, the hacker's browser would be logged into your Google account.
This is supposed to secure you on an untrusted computer. It doesn't. There are loads of attacks still. The moment you log in, the attacker has access to your account because they control the browser you're using.
What it protects against is basic key logging attacks (software and hardware). These are the most likely attack you can expect to see, so protecting against them has real life value.
The safest thing you can do is never use an untrusted machine to access important accounts.
There are other Google Apps that don't work as great on a mobile device. Try Docs on an iPhone, for example. Also, imagine you need to print out a 30 MB PDF that somebody just emailed to you.
Not enamored with QR codes as a solution, though; I still maintain that the vast majority of Americans have no idea what they are and find them, in general, to be a gimmicky pain in the rear. I agree that what you described would actually be more useful, but also probably harder to do (offline = native app).
Google do already provide a set of one-time passwords for those using two-factor auth. I've already added them to a document on my phone for precisely that purpose.
The QR code is displayed on the unsecure connected computer. Your phone network is used to perform the login, so it very little data.
A logical next step would be an app that can streamline the auth a bit (have your username prefilled from the Android account) and send the auth to Google via SMS (often easier and cheaper than getting started with dataroaming).
I'll be using this in the morning to easily log into all my gmail accounts from work. When I leave work I have a logoff script that clears all my cookies. This logs me into all gmail accounts that I am logged into on my phone without having to log in several times.
Stop ! If you're on an untrusted machine, this is untrusted, too. It should be pretty easy to install alternative certificates, MITM this page, and serve you a bad QR code that will give access to your account to a someone else.
They might not be able to change your password (if you have 2-factor auth), but they could read/forward all your mail, delete documents, etc.
This isn't enough to work on untrusted computers on untrusted networks (but it's still damn useful for fast-login).
You're then reading the QR code on what is assumed to be a trusted device on a trusted network (your mobile phone). The QR code would have to link to a bogus website mascarding as google in order to intercept your username & password. It requires a degree of vigilance on the part of the user at this point to ensure that the login page is genuinely google, but anyone using this auth mechanism must be reasonable security conscious to start with.
By your assertion, the only solution is to not use untrusted computers / networks at all. In the event that you have to this is one way to do so more securely.
This is not what he's talking about. Someone could open the sesame page on another computer, and use MITM to serve that code to you. Then, you're giving someone else access instead of yourself when you log in on your phone.
If you're this distrustful, don't use the computer. This entry only seems to prevent keylogging attacks.
I don't have much to add, other that this QR code is a timed one-time pad, so it expires rather quickly.
Visit the site and leave it open for a few minutes, and you'll get an expiration popup. So, people aren't going to be rummaging through the cache or snapping a screenshot at the cafe and going home and logging in as you.
Oops, I guess I missed a file when I pushed. I'll try and fix it later today. Basically I'll provide an iPhone app that will read the code, check the signature and authenticate the device/user account. The idea is that a single iPhone app can be used to log into many different web sites (or be used as a second factor authentication). It's still "pre-alpha" for sure.
Doesn't support multiple accounts yet. Unfortunately, the only way of dealing with multiple Google accounts (for instance, personal and work) remains to use two different browsers or two different browser profiles.
On iPhone, the process isn't as smooth. You'll be taken to a web-based login page to enter your account info. However, it seems to be buggy as if you're logged into one account on your desktop and another account on your mobile weird stuff happens.
On iPhone, the process isn't as smooth. You'll be taken to a web-based login page to enter your account info.
Isn't that how its supposed to work? That's how it works on my Nexus S. Much hassle... Would be better to have an app that does that automatically (since android is pretty much always logged in but the phone browser pretty much never is).
My favourite usecase for QR codes are the links to a web site showing realtime bus arrival times you see at bus stops that don't yet have a realtime arrivals sign up. You can type the web address in manually too, of course, but the QR code is much more convenient.
The service has been shut down for now. If you try to access the URL, this text is all that's there:
Hi there - thanks for your interest in our phone-based login experiment.
While we have concluded this particular experiment, we constantly experiment with new and more secure authentication mechanisms.
it's kind of neat to re-load the QR-code quickly -- you can see that some parts are refreshed constantly, while other parts only refresh every few seconds. Presumably this has to do with the expiration behavior...
https://plus.google.com/103943309878727777440/posts/DCdBqZX3...
====================
remember this url: https://accounts.google.com/sesame . next time you want to check your gmail on a public computer, don't trust even the incognito window because an installed keylogger can record your keystrokes, which unsurprisingly, include your password. use your phone to scan the qrcode on the sesame web page and hit the resultant url -- the desktop browser will automagically redirect to your logged-in gmail without entering your password. yes, i think you do need an android phone with a properly configure google account for this to work.
====================