Shared publicly  - 
Looks like people have found the page for an experiment we've been running for phone-based authentication.

Folks - it's just that - an experiment - and will likely go away at some point. We always work on improving authentication, and try out different things every now and then. We're working on something that I believe is even better, and when that's ready for a public trial we'll let you know.

I'll label that experimental page appropriately when I get a chance so people don't start depending on an unsupported feature...
David Gunnarsson's profile photoGeorge Chearswat's profile photoManish Jhanji's profile photoD Boyd's profile photo
I have log-in code verification - and I love it. This very sweet lady calls me within seconds and gives me a different code each time. Very thoughtful of her and, er, you +Googlers
Great idea. But I had problem with 2 steps verification process few weeks ago where it kept sending me six-digit code every hour even after I got everything setup via my cell phone and gmail the first hour. Luckily I have free sms. =P I had over 27 six-digit code.
Also seems to work with Microsoft Tag, which I've been playing with now that it reads QR, too.
Hi +Dirk Balfanz - it's great that you guys are exploring options to make using Google services more convenient. What worries me is that something like this undocumented feature made it out into the wild and works with every account, including mine. I would have expected experiments with severe security implications are done on a small scale with users who know that they are part of the experiment.

I know, leaving a smart phone unlocked and unattended is not a good idea in any case. But with this QR logon method it takes a "bad guy" just 10 seconds and he can walk away with a session on his laptop, with unlimited time to play with my data.

If my phone goes missing I will notice sooner rather than later, if someone walks off with an authenticated session I might never find out about it.

The main flaw that makes this method insecure is that it does not ask for my password before authenticating the session, it just uses the credentials already stored on the phone. 2 factor authentication is reduced to a single factor here, possession of the unlocked phone.
+Long Nguyen Well, I think the whole purpose of this is to prevent issues logging via public computers, not someone else's phone opening your Gmail?
Great idea but it's not new. With Certphone app you can authenticate with QR Code. Password and personnal information are store securely with encryption on Smartphone.
+Peter Roehrig as far as I got this, the Login-Page is just displayed on the mobile phone instead of the public computer. there is no auto-login by scanning the QR code (using google account of your mobile phone). you still have to type in your user-name and password by hand after scanning the code. Should be no security risk then...
+Fabian Krüger If you were signed into Google account with your mobile browser it let you directly in. I've tested it on Android and Maemo while it was still live and didn't need to enter password on any of them.
I do hope this (or something more convenient, though I can't fathom how) comes back, even better if it's opt-in.

I also wish that Google would include more users in these experiments in an opt-in bases (like Google Labs). There are millions of people eager to help you guys test and gain feedback on the stuff you're working on. Let us.
Was there something about the experiment that made you NEED to take it down? Trying to understand why you'd pull this otherwise rather than waiting until the "even better" thing is up and ready.
+Dirk Balfanz Really missing the QR code login feature already, you guys are having some really great ideas down there. I'm excited for the new login method you mentioned since I use public terminals everyday.

Good job guys :).
Nick P
Can you use a similar system to Facebook where you just email a code to SMS that you enter instead of password when you try to login from an unknown host? I tried Google two step authentication, but stopped using it quite quickly as that whole individual application passwords thing is a pain in the neck...
Loved it - looking forward to seeing it back again in some form
Hi Dirk,

your approach using the QR-Code for secure login is a good direction, towards showing the door to malware & co,.

-> checkout:

Why not go a step further and think about integrating the full concept, as done by ekaay?

Contact me under: in case you want more infos. We'll suipport integration of ekaay into the Google Backend !

Thomas Brandtstaetter
+Dirk Balfanz I think the approach with a QR code login is great. I hope the new solution works with such an QR Code, too. I hope it's NOT something, that forces one to install yet another app that is only available on specific phones, while QR Code works with a wide range of smartphones.
+Vincent Pitoscia The way it worked at the moment reduced security (see my comment above). They either had to take down the page or modify the way stored credentials are handled on Android phones. Taking down the page would have been much easier.
+Peter Roehrig Simplicity. My phone will be my credit card, my key, my wallet, my note taker. If you lose you key, your house is exposed to the finder. That's the way life is. Now you can think about how you can make your key more secure. But I want to log in with my phone hassle free. It's simple as that. It much less risk than typing your password in a unknown computer where keyloggers are waiting for you, right?
It is very interesting to see, how Google is experimenting with login services.
In February 2010 our company KikuSema GmbH was nominated as one of the TOP TEN MOST INNOVATIVE COMPANY at the RSA Conference/Innovation Sandbox in San Francisco. We presented there our security app 'FabulaRosa'.
This app contains the using of pattern logins together with QR Codes for authentication between personal smart phones and public devices in unsafe environments. Additionally we presented the app 'FabulaRosa' at an event of the Information Security Society in Zurich in October 2010. The event was related to Google.
At the Exposition of the RSA Conference 2011 we presented the augmentation of our app; the new transfer protocols, including QR-Code and OTP.
The outstanding feature of the SecApp' FabulaRosa' is the creating of complex passwords by visualisation. The passwords are not stored at all; they are generated in the moment you draw the image on the screen.
The big disadvantage of many authentication mechanisms, including Google Sesame, is the absence of a "creative act of a human being" within the authentication process. So far the solutions put emphasis on the possession of a certain device or a token and of complex, non-transparent procedures.

FabulaRosa together with the New Protocols has a huge potential for all kinds of logins.
For more details please follow the links:

The last presentation at Pitch Live London 25th October 2011:
FabulaRosa - The Image in Your Mind - PitchLive2011

Shortest presentation:

Our website and blog:

Video to the Google related event:
Fabularosa - The Image in Your Mind von C. und U. Ziske

It would be great hearing from you anyway. We're looking for partner for further developments. We are convinced that only a Global Player like Google has the resources to implement and establish the potential of this new kind of authentication.
Christine /
+Ryo Cook Your key does not contain the address of your house, you know it, a random finder does not. Two factor authentication is all about combining a thing you know (your password) with something you own (a phone, smartcard, etc).

Regarding risk: if I was sure a computer is compromised I would never use it, even without typing in my password - it can still take screen shots of everything I do and perhaps pretend to close the session when I log out and actually forward the session key to someone else.

The QR logon, if it can be made secure by forcing you to enter your password on your phone, would in my view still only be useful for computers with a low but unknown likelihood of malware.

Convenience vs security is always a trade off. One where each person decides for themselves where to be on the scale between totally secure and totally convenient. The QR logon as it was forced on my Google account without my knowledge, was too far away from secure to be acceptable to me. If it comes back as something users can opt in to that is fine, I will not - and you can.
+Peter Roehrig - you're making good points about malware being able to do nefarious things other than simply logging your password.

I do want to point out, though, that giving another computer access to your account is a common pattern online - there's even a standard for it (OAuth) that is implemented by many service providers. If you're already logged in on the computer (or device) that is granting the access, this is usually done with just a few clicks through a warning- or consent-page, without having to authenticate again.

It's always a good idea to lock your phone and be aware of its whereabouts - today's smart phones hold a treasure trove of information that you don't want to fall into the wrong hands.
Kyva Go
Please let it be BrowserID
I love the security of 2-step authentication, and dislike logging into other websites, that don't automatically use OAuth with my Google account, because of the written passwords I have to keep typing in.

Although the Sesame experiment made me over-joyous in its current version, and would have loved to have it stay, I hope to see it back, in a better rendition.
+Peter Roehrig As +Dirk Balfanz said in response, if someone has physical access to your phone, your session key is probably the least of your worries. The security exposure you outline is rather narrow, and in comparison with the many good practices Google implements in terms of security, from two factor authentication to full site SSL by default, to SSL certificate pinning in Chrome, the good quite heavily outweighs the "experimentation."

The larger security implication I would have been worried about would be decoding the QR code and sending to a logged in Google user to enable account access via what's essentially a CSRF authentication. I wouldn't be surprised if the actual implementation we end up seeing is based around a dedicated app to prevent just this very thing (i.e. the QR encoded link does nothing unless accessed via the application).

Still - this feature was neat enough that I stumbled back upon this thread trying to track down an alternative. I'll be happy to see it return, and even happier if it's incorporated even more robust security designs.
Please bring this experiment back! The convenience and not having to type in a password in a public / any computer was the best!
Add a comment...