Google recently introduced a fun (and more secure) way to log into your Google account from a public terminal without entering your password into the PC, and instead using your smartphone and a QR code.
The new Google QR log-in now being discussed on Google+ and Hacker News uses your smartphone as a kind of proxy for the desktop PC’s browser. You will be able to enter your Google account password into your smartphone and then the PC will “automagically” log you in to your Google account on the PC.
This is a neat trick to use when traveling and relying on public computers, and can protect you from a PC with keylogging software that records every keystroke entered into a compromised machine.
In my tests, I was able to log in using an iPhone as well as an Android device, it’s said to also work with Windows Phone 7.
It’s not clear when Google created the new QR code log-in system. The earliest mention I could find was on Reddit in late December, but as far as I can tell Google has never publicly announced this log-in option.
Here’s how to use Google’s new authentication process.
Get a QR Code Reader
To get started, you need a QR code reader for your smartphone. In my tests, any QR code reader will work, including Google Goggles, the search giant’s image-as-query smartphone app. You can find Google Goggles on the Android Market and as part of the Google Search app for iOS.
Once your smartphone is up and running with the QR reader app, go to https://accounts.google.com/sesame, a secure Google page displays a QR code. Next, open the code reader app on your smartphone and take a snapshot, or wait for the app to recognize the code on the screen.
Your app will then tell you the QR code is a URL. Allow the app to open the URL and you will arrive at a Google account log-in screen where you are prompted to enter your account password. The first time you use this system, you may also have to enter your username.
A few seconds later, the browser window on the PC should automatically redirect to your Gmail inbox. In my tests, you could use this process whether your smartphone was using a cellular data connection or the same Wi-Fi network as the PC.
A Word of Caution
While this new log-in method is fun to try and could come in very handy at times, this is not a foolproof method for keeping your log-in credentials safe. If you are using Google’s QR code method in an airport, consider using your 3G/4G connection to enter your password instead of the airport’s free, open Wi-Fi network. That way your activity won’t be grabbed by any malicious hackers using packet sniffers to grab Wi-Fi traffic. Google’s QR authentication does use an encrypted channel through HTTPS, but it’s safer to stay off Wi-Fi anyway.
Also, before scanning the QR code, make absolutely sure that the web address is secure and coming from google.com, and not something like go.ogle.com. If you don’t see a URL that has HTTPS, and “google.com” before the “/” slash then you are not on Google’s web page. It would be very easy for a motivated hacker to set up a fake Google QR code and subsequent log-in page to steal your credentials.
In my tests, the password had to be entered on the smartphone every time in order to get authenticated on the PC. So, if someone steals your phone they may not be able to use your device to log in using the QR method.
Google’s new QR method is a fun way to get access to your Google account, but don’t forget to log out of your account once you’re done.
UPDATE: Shortly after PCWorld wrote about Google’s QR Code log in, the search giant decided to stop offering the feature, calling it an experiment. “We always work on improving authentication, and try out different things every now and then,” said Dirk Balfanz from Google’s security team. “We’re working on something that I believe is even better, and when that’s ready for a public trial we’ll let you know.”
Connect with Ian Paul (@ianpaul) on Twitter and Google+, and with Today@PCWorld on Twitter for the latest tech news and analysis.