Skip to main content

Google Tests Secure Login with QR Codes

Similar to the two-step verification process that requires your password and a unique code sent to your smartphone, the QR code login requires the use of your smartphone as part of the process. First, users are required to visit https://accounts.google.com/sesame. Upon arrival, you'll be presented with a QR Code. The next step is to scan this code with a QR code reader, such as Google Goggles. Once you do that, your phone will display a special URL. Click this URL on your phone, and you'll be brought to a mobile Google sign-in page. Once you've logged in via your phone, the browser of the computer you're sitting at will automatically redirect to Gmail. Pretty neat, huh?

This is probably most useful for people who find themselves using public computers a lot. However, don't get too excited -- the feature has already been pulled by Google. As soon as knowledge of it began to spread, Google's Dirk Balfanz updated his Google+ to clarify that this was purely experimental and wouldn't last long.

"Looks like people have found the page for an experiment we've been running for phone-based authentication," he said. "Folks - it's just that - an experiment - and will likely go away at some point. We always work on improving authentication, and try out different things every now and then.

"We're working on something that I believe is even better, and when that's ready for a public trial we'll let you know. I'll label that experimental page appropriately when I get a chance so people don't start depending on an unsupported feature..."

Sadly, the feature has been completely removed, not just relabeled. Accounts.google.com/sesame now displays the following message:

Hi there - thanks for your interest in our phone-based login experiment.

If you didn't get to try it before it was pulled, check the video below for a demo of the feature:

  • freggo
    Interesting idea of course. My hacker mind instantly makes me wonder of course how that can be abused and circumvented :-)


    Reply
  • 4745454b
    I don't see how this is a good idea. Like Freggo, I'm left wondering if all I have to go is get ahold of someones smart phone for a bit. Go to site, scan, enter URL, and I'm into their Gmail acct? Potential for abuse is rather high I would think.
    Reply
  • lashabane
    The person that came up with this should receive a double bonus for their ingenuity.

    And then be fired because someone was able to hijack it.
    Reply
  • tlmck
    I have yet to give them my phone number and never will. Nor do I use a smart phone. Just have no need for one. They need to get off it and go to a pin system if they want numbers.
    Reply
  • zak_mckraken
    I can see this system implemented into my banking site, which I use 2-3 times a week. But for email, which I use 2-3 times a day? Seems a bit too time-consuming for what it's worth.
    Reply
  • __-_-_-__
    "We always work on improving authentication, and try out different things every now and then."

    IT'S NOT A GOOD IDEA TO MAKE EXPERIENCES WITH SECURITY ISSUES
    Reply
  • f-14
    pity goldman sach's CEO's didn't find it and use it, i'm so inspired i thought of 5 ways to exploit it for incredible illegal financial gain in less then the first 3 seconds of reading the paragraph of how it works.
    Near Feild Technology is so exploitable it's going to be a mf disaster that can be used to cause a financial meltdown of the world when it hits it's peak if exploited to it's fullest at the right time.
    Reply