Google has apparently been testing an alternative to its two-step verification option for accessing Gmail and Google accounts, and it uses a QR code.
The option is thought to have been devised for allowing users to log in on public computers, which are likely to be infected with keyloggers or information-stealing malware.
It works like this: the user uses the computer to visit a specially crafted Google page that offers a unique QR code. He scans the code with his phone and that triggers the appearance of a link to a Web page on the phone’s browser. Once the link is followed to a Google Accounts login page and the user enters his login credentials on the phone, the computer browser redirects the user to his logged-in Google account.
The project has (appropriately) been named Sesame, but the page hosting it has already been replaced by a message by Dirk Balfanz of the Google Security Team: “Hi there – thanks for your interest in our phone-based login experiment. While we have concluded this particular experiment, we constantly experiment with new and more secure authentication mechanisms. Stay tuned for something even better!”
According to ZDNet, Balfanz intimated that the option might not be implemented as such. “We always work on improving authentication, and try out different things every now and then. We’re working on something that I believe is even better, and when that’s ready for a public trial we’ll let you know,” he commented.
While using a QR code for authentication seems very interesting, if implemented, I feel sure it will be soon misused by malware peddlers.