Shared publicly  - 
 
remember this url: https://accounts.google.com/sesame . next time you want to check your gmail on a public computer, don't trust even the incognito window because an installed keylogger can record your keystrokes, which unsurprisingly, include your password. use your phone to scan the qrcode on the sesame web page and hit the resultant url -- the desktop browser will automagically redirect to your logged-in gmail without entering your password. yes, i think you do need an android phone with a properly configure google account for this to work.

update: iphone works as well per +Jason Ferrando
194
485
Dan Christensen's profile photoEmre Rusvanli's profile photoJames Russell's profile photoMatt Soave's profile photo
56 comments
 
I can confirm this also works on iPhone. Its functionality also reminds me of a sort of sync feature I developed for one qr-based project.
 
Any phone with a web browser and a scanner app that redirects the link to the browser should work. You just log in using your phone's browser, so the password info stays on your phone, not the computer.
 
Yeah, the authentication is done from the phone, then the authenticated session is passed back to the browser (who's session is identified by a unique code in the QR).
 
Why not just use google's two-step verification?
 
Google's two–factor verification isn't that much different. You still need your phone to get a verification code, which you would type into the dubious computer. And you would have to set up all your google apps with different passwords as a side effect. You would also need to do this with all computers, even if you trust them. There is a 30–day remember period, if you like, but that isn't useful if other people (say family members) use the computer too.

On the other hand, two–factor verification works with any text–capable phone. And overall, it should be more secure since a hacker would also need your phone number.
 
If you have a phone, use it to check your email.
 
Looks very similar to initiatives such as http://tiqr.org, main difference is that login still happens on the original site (through a phone) instead of using an app with a secure back channel.
 
If you have a phone, you'll still want to use the computer for G+, Docs, etc. Those kind of suck on small phones compared to having a nice screen and keyboard.
 
This is simply awesome! Simple in the way it is done; awesome in the sense that it is a solid way to do it, and in hindsight, an obvious way...!

Steps:
1. load up accounts.google.com/sesame on any untrusted public computer
2. using your smartphone, scan the QR code displayed on the untrusted public computer
3. click the resulting URL to load up a Google Accounts page on the smartphone
4. sign in
5. you will get a page saying, "By proceeding, you give another computer access to the following accounts: avgJoe@gmail.com"
6. once logged in on the smartphone, you get a warning and two buttons: Start with Gmail & Start with iGoogle
7. click on, say, the Start with Gmail button, Gmail will load up on the on untrusted the public computer

No keying in your password on the untrusted public computer! So Simple!
The session expires in a short while and the QR is no longer valid! So Awesome!

Thank you, +Google!
 
If you re-tried with an expired QR code, you'll get this:

An error occurred. Re-load the login page on the PC and take the picture again.

Sweet, isn't it!
Vince T
 
If the browser is not trusted, couldn't an attacker perform a MITM to access to the GMAIL account? The password would not be recorded, but I think it remains safer to check the email on the phone.
 
+Vincent Toubiana SSL/TLS should be end-to-end encrypted and authenticated. Users should probably click the padlock and verify that they're looking at a legit Geotrust/Google Internet Authority certificate.
 
It would be interesting to check if Google turns off account and password changing using this approach. I hope so, otherwisw a man in the middle attack ~could~ likely take over your account, besides reading your e-mail during that session.
 
It is a regular access; mail settings, account settings, profile et al...
 
As a point of convenience, it would be nice if there was a dedicated mobile application for this so that I could use the established account on the phone instead of keying in my password in the Android browser.
 
Very innovative. Now that Microsoft's Tag for Android can read QR codes, it'll be interesting to see if they work together. Last time I tagged a QR code it brought up the link, but it wasn't clickable.
 
My phone service is currently off, but using Microsoft Tag it seemed to try to bring up the page, anyway.
 
+Frankie Bloise Microsoft needs to not compete against its own product: Microsoft Tag and Bing Vision QR code reader?
 
So if someone steals your phone, they could easily access your email (and more) without even knowing your password or even your email address?
 
+Stephen Foust-Christensen That's very true too. I guess in general the phone isn't very secure unless using a strong password.

Another possibility is that someone could temporarily use your phone to login to your account on a computer, then return the phone before you realize it's missing. I admit it's unlikely, but still possible. In this situation, the person could have access to your account without you realizing that its been compromised.
 
+Matt Soave, good point. Maybe it makes sense that you wouldn't have access to change settings/etc unless you actually typed your password? Basically, give you the features you would normally see when accessing your email via POP3/IMAP, but above-and-beyond that, it would be good to require a password.

It isn't uncommon for websites like Amazon to require a password re-type in order to checkout -- I would see this as the same thing.
 
+Stephen Foust-Christensen If I'm understanding the intent of this security feature correctly, it seems to be based on a fear of keylogging software. If this is really the case, it might make more sense (similar to what you are saying) to type in your password on the phone instead. This would keep it just as secure as a long password but without the risk of keylogging.
 
So I'm assuming you dont need this if your already using 2-step authentication app on your phone? It works without an internet connection on your phone if your abroad in an airport which surely is even more useful?
 
looks like a security issue due to unlocked or stolen phones
and definitely there should be an option to ENABLE/DISABLE for Google Apps administrators!
 
Can I disable this for my account?
 
I didn't like this a bit. This is like taking 2 factor authentication and removing one of the factors and making the authentication process vulnerable again. (I tried this and noticed that it doesn't ask my password neither on the phone or on desktop.)
What if a person takes your phone when you are distracted and scans the code on his computer? The whole process takes only seconds, and he doesn't even have to know the password (1st factor).
I'm surprised Google allows such a foolish authentication process.
If you want to be secure when you are using public computers use 2-step verification that Google provides.
 
Yea! It's gone - but promises something better... :-)

"Hi there - thanks for your interest in our phone-based login experiment.
While we have concluded this particular experiment, we constantly experiment with new and more secure authentication mechanisms.

Stay tuned for something even better!"

+Dirk Balfanz, Google Security Team.
 
+Frankie Bloise last time I was working for an advertising company, by boss used to leave his phone always on desk for hours... (Android!)
 
+Frankie Bloise
- "Can I take a look at your new phone?"
- "Hey, let me show you something on your phone."
- Fake conflict between strangers (in restaurant for example).
- ...
 
+Frankie Bloise +Ondřej Pokorný I don't see any security related troubles if: 1) there is an OPT-IN, 2) always resets mobile session, 3) can be controlled in Google Apps dashboard console for deployment = lot of work for Google
 
Unlike stealing your phone this method would make it really easy for someone to pick up an (unlocked) phone and get access to your gmail on a different phone or laptop then put your phone back..... its not so far fetched
 
+Frankie Bloise If you were signed into Google account with your mobile browser it let you directly in. I've tested it on Android and Maemo while it was still live and didn't need to enter password on any of them.
 
A rogue website could proxy the barcode, in real time, to unsuspecting users and ask them to point their phone at it to see the next picture (think porn sites). Good that it is gone.
 
@Sachin Shenoy Each barcode is different and expires after a few minutes
 
+James Shannon Why should that stop the misuse? Hope you have heard how some porn sites (allegedly) solved captchas using similar technique?

1. An unsuspecting user visits page of rogue site.
2. Website backend server visits accounts.google.com/sesame and fetches the barcode.
3. The rogue site displays the barcode to the user prompting user to point the phone at it, to see the next page.
4. Rogue sites server then wait for google to send cookie, on the page they have open with google.
5. If they don't get cookie, they don't show the next page. If they get, they show the next page, but the account has been compromised.
 
+Emre Rusvanli I agree entirely. For what it's worth, as +Dirk Balfanz has said, this was an internal experiment that wasn't meant to be found or used by the public.
 
+Emre Rusvanli If you do this, "If you want to be secure when you are using public computers use 2-step verification that Google provides," you've still lost your password to keyloggers! I use a pattern, albeit random, a pattern still, and that is exposed - and I don't like it one bit!

This experiment is an excellent circumvention to keyloggers - just make it mandatory to type in username/password on the mobile... Keyloggers snagging one's passphrases is a bigger worry than the trouble of having to key in one's credentials on a device one trusts.
 
I agree with +Emre Rusvanli. +Fynali Iladijas, who cares if keyloggers get your password? They still cannot access your email account if you are using Google 2-Step Verification.
 
+Jeremy Stine, you asked, "who cares," I really do... especially because it exposes a complicated & un-guessable pattern I use to generate all my passwords! :-(

And other services that I have used that pattern to produce a pass-phrase for do not have/use/support a 2-legged auth mechanism!
 
I am working on something similar to this for my final project
 
So.. what happened to this? Why did google shut this down? Why hasn't ot taken off? Any updates since this post?
Add a comment...