remember this url: https://accounts.google.com/sesame . next time you want to check your gmail on a public computer, don't trust even the incognito window because an installed keylogger can record your keystrokes, which unsurprisingly, include your password. use your phone to scan the qrcode on the sesame web page and hit the resultant url -- the desktop browser will automagically redirect to your logged-in gmail without entering your password. yes, i think you do need an android phone with a properly configure google account for this to work.
I've always been scared about keyloggers in internet coffees or public computers in university/hotels. I really wonder if there's a way around. Especially since, if you can scan this with your cellphone it supposes you have internet on your cellphone.
yes, i think you do need an android phone with a properly configure google account for this to work.
That's not the case. Presumably accessing the QRCode generates a single use URL, which you can access in the computer browser. There is no client side logic.
(Also, Google generally ships stuff on both iOS and Android)
(Also, it goes against Google's interest to restrict Google account features to Android)
If you're on an untrusted computer, the network is by definition also untrusted.
What happens if the computer has a hacker's self-signed certificate for https://accounts.google.com installed and the hacker sets up a man-in-the-middle style attack?
The hacker's browser asks Google for a QR code and it gets sent to your browser. When you scan the code and authorise from your phone, the hacker's browser would be logged into your Google account.
This is supposed to secure you on an untrusted computer. It doesn't. There are loads of attacks still. The moment you log in, the attacker has access to your account because they control the browser you're using.
What it protects against is basic key logging attacks (software and hardware). These are the most likely attack you can expect to see, so protecting against them has real life value.
The safest thing you can do is never use an untrusted machine to access important accounts.
There are other Google Apps that don't work as great on a mobile device. Try Docs on an iPhone, for example. Also, imagine you need to print out a 30 MB PDF that somebody just emailed to you.
Not enamored with QR codes as a solution, though; I still maintain that the vast majority of Americans have no idea what they are and find them, in general, to be a gimmicky pain in the rear. I agree that what you described would actually be more useful, but also probably harder to do (offline = native app).
Google do already provide a set of one-time passwords for those using two-factor auth. I've already added them to a document on my phone for precisely that purpose.
I'll be using this in the morning to easily log into all my gmail accounts from work. When I leave work I have a logoff script that clears all my cookies. This logs me into all gmail accounts that I am logged into on my phone without having to log in several times.
Stop ! If you're on an untrusted machine, this is untrusted, too. It should be pretty easy to install alternative certificates, MITM this page, and serve you a bad QR code that will give access to your account to a someone else.
They might not be able to change your password (if you have 2-factor auth), but they could read/forward all your mail, delete documents, etc.
This isn't enough to work on untrusted computers on untrusted networks (but it's still damn useful for fast-login).
You're then reading the QR code on what is assumed to be a trusted device on a trusted network (your mobile phone). The QR code would have to link to a bogus website mascarding as google in order to intercept your username & password. It requires a degree of vigilance on the part of the user at this point to ensure that the login page is genuinely google, but anyone using this auth mechanism must be reasonable security conscious to start with.
By your assertion, the only solution is to not use untrusted computers / networks at all. In the event that you have to this is one way to do so more securely.
I don't have much to add, other that this QR code is a timed one-time pad, so it expires rather quickly.
Visit the site and leave it open for a few minutes, and you'll get an expiration popup. So, people aren't going to be rummaging through the cache or snapping a screenshot at the cafe and going home and logging in as you.
Doesn't support multiple accounts yet. Unfortunately, the only way of dealing with multiple Google accounts (for instance, personal and work) remains to use two different browsers or two different browser profiles.
On iPhone, the process isn't as smooth. You'll be taken to a web-based login page to enter your account info. However, it seems to be buggy as if you're logged into one account on your desktop and another account on your mobile weird stuff happens.
On iPhone, the process isn't as smooth. You'll be taken to a web-based login page to enter your account info.
Isn't that how its supposed to work? That's how it works on my Nexus S. Much hassle... Would be better to have an app that does that automatically (since android is pretty much always logged in but the phone browser pretty much never is).
My favourite usecase for QR codes are the links to a web site showing realtime bus arrival times you see at bus stops that don't yet have a realtime arrivals sign up. You can type the web address in manually too, of course, but the QR code is much more convenient.
The service has been shut down for now. If you try to access the URL, this text is all that's there:
Hi there - thanks for your interest in our phone-based login experiment.
While we have concluded this particular experiment, we constantly experiment with new and more secure authentication mechanisms.
it's kind of neat to re-load the QR-code quickly -- you can see that some parts are refreshed constantly, while other parts only refresh every few seconds. Presumably this has to do with the expiration behavior...
[+] [-] dannyr|14 years ago|reply
https://plus.google.com/103943309878727777440/posts/DCdBqZX3...
====================
remember this url: https://accounts.google.com/sesame . next time you want to check your gmail on a public computer, don't trust even the incognito window because an installed keylogger can record your keystrokes, which unsurprisingly, include your password. use your phone to scan the qrcode on the sesame web page and hit the resultant url -- the desktop browser will automagically redirect to your logged-in gmail without entering your password. yes, i think you do need an android phone with a properly configure google account for this to work.
====================
[+] [-] baby|14 years ago|reply
[+] [-] ot|14 years ago|reply
Works fine on my iPhone with RedLaser to scan the QR. It just redirects to Safari which "remembers" my login info.
[+] [-] nl|14 years ago|reply
That's not the case. Presumably accessing the QRCode generates a single use URL, which you can access in the computer browser. There is no client side logic.
(Also, Google generally ships stuff on both iOS and Android)
(Also, it goes against Google's interest to restrict Google account features to Android)
[+] [-] wingspan|14 years ago|reply
[+] [-] danielhunt|14 years ago|reply
Couldn't I just link someone to a copy of the QR code and be automagically logged in as them?
[+] [-] thought_alarm|14 years ago|reply
My question is, what is http://goto.google.com anyway? It looks like a Google employee portal.
[+] [-] edlea|14 years ago|reply
What happens if the computer has a hacker's self-signed certificate for https://accounts.google.com installed and the hacker sets up a man-in-the-middle style attack?
The hacker's browser asks Google for a QR code and it gets sent to your browser. When you scan the code and authorise from your phone, the hacker's browser would be logged into your Google account.
[+] [-] mike-cardwell|14 years ago|reply
What it protects against is basic key logging attacks (software and hardware). These are the most likely attack you can expect to see, so protecting against them has real life value.
The safest thing you can do is never use an untrusted machine to access important accounts.
[+] [-] baddox|14 years ago|reply
[+] [-] ot|14 years ago|reply
I can't see a compelling use case for this. It would be more useful to have my phone generate a one-time password without requiring to be connected.
[+] [-] pak|14 years ago|reply
Not enamored with QR codes as a solution, though; I still maintain that the vast majority of Americans have no idea what they are and find them, in general, to be a gimmicky pain in the rear. I agree that what you described would actually be more useful, but also probably harder to do (offline = native app).
[+] [-] nl|14 years ago|reply
If you are overseas, roaming costs are crazy. I'd consider paying them to download a single .png (QRCode) and then use an untrusted computer.
[+] [-] estel|14 years ago|reply
[+] [-] saurik|14 years ago|reply
[+] [-] bkaid|14 years ago|reply
[+] [-] Aissen|14 years ago|reply
They might not be able to change your password (if you have 2-factor auth), but they could read/forward all your mail, delete documents, etc.
This isn't enough to work on untrusted computers on untrusted networks (but it's still damn useful for fast-login).
[+] [-] sc00ter|14 years ago|reply
You're then reading the QR code on what is assumed to be a trusted device on a trusted network (your mobile phone). The QR code would have to link to a bogus website mascarding as google in order to intercept your username & password. It requires a degree of vigilance on the part of the user at this point to ensure that the login page is genuinely google, but anyone using this auth mechanism must be reasonable security conscious to start with.
By your assertion, the only solution is to not use untrusted computers / networks at all. In the event that you have to this is one way to do so more securely.
[+] [-] runjake|14 years ago|reply
Visit the site and leave it open for a few minutes, and you'll get an expiration popup. So, people aren't going to be rummaging through the cache or snapping a screenshot at the cafe and going home and logging in as you.
[+] [-] rpledge|14 years ago|reply
Glad to see my concept isn't too off the wall
[+] [-] megamark16|14 years ago|reply
[+] [-] ComputerGuru|14 years ago|reply
On iPhone, the process isn't as smooth. You'll be taken to a web-based login page to enter your account info. However, it seems to be buggy as if you're logged into one account on your desktop and another account on your mobile weird stuff happens.
[+] [-] tjoff|14 years ago|reply
Isn't that how its supposed to work? That's how it works on my Nexus S. Much hassle... Would be better to have an app that does that automatically (since android is pretty much always logged in but the phone browser pretty much never is).
[+] [-] unknown|14 years ago|reply
[deleted]
[+] [-] veemjeem|14 years ago|reply
[+] [-] deepuj|14 years ago|reply
[+] [-] Leynos|14 years ago|reply
[+] [-] kpi|14 years ago|reply
[+] [-] _djo_|14 years ago|reply
Hi there - thanks for your interest in our phone-based login experiment. While we have concluded this particular experiment, we constantly experiment with new and more secure authentication mechanisms.
Stay tuned for something even better!
Dirk Balfanz, Google Security Team.
[+] [-] hamvocke|14 years ago|reply
While we have concluded this particular experiment, we constantly experiment with new and more secure authentication mechanisms.
Stay tuned for something even better!
[+] [-] resnamen|14 years ago|reply
[+] [-] sp332|14 years ago|reply
[+] [-] ghostDancer|14 years ago|reply
[+] [-] sylvanaar|14 years ago|reply
[+] [-] roadnottaken|14 years ago|reply
[+] [-] krallja|14 years ago|reply
https://accounts.google.com/sesame/uc?s=vlrPimUVe5-LGarBtJxU...
The `s` parameter is changed with every refresh, but the majority of the URL remains constant.
[+] [-] ecesena|14 years ago|reply