Google recently introduced a fun (and more secure) way to log into your Google account from a public terminal without entering your password into the PC, and instead using your smartphone and a QR code.
The method is similar to how Google sets up your handset for its two-step log-in process introduced in February 2011. Google’s two-step authentication system requires you to enter your password as well as a unique short code generated by a trusted device (your smartphone) to access your account.
The new Google QR log-in now being discussed on Google+ and Hacker News uses your smartphone as a kind of proxy for the desktop PC’s browser. You will be able to enter your Google account password into your smartphone and then the PC will “automagically” log you in to your Google account on the PC.
This is a neat trick to use when traveling and relying on public computers, and can protect you from a PC with keylogging software that records every keystroke entered into a compromised machine.
In my tests, I was able to log in using an iPhone as well as an Android device, it’s said to also work with Windows Phone 7.
It’s not clear when Google created the new QR code log-in system. The earliest mention I could find was on Reddit in late December, but as far as I can tell Google has never publicly announced this log-in option.
Here’s how to use Google’s new authentication process.
Get a QR Code Reader
To get started, you need a QR code reader for your smartphone. In my tests, any QR code reader will work, including Google Goggles, the search giant’s image-as-query smartphone app. You can find Google Goggles on the Android Market and as part of the Google Search app for iOS.
Once your smartphone is up and running with the QR reader app, go to https://accounts.google.com/sesame, a secure Google page displays a QR code. Next, open the code reader app on your smartphone and take a snapshot, or wait for the app to recognize the code on the screen.
Your app will then tell you the QR code is a URL. Allow the app to open the URL and you will arrive at a Google account log-in screen where you are prompted to enter your account password. The first time you use this system, you may also have to enter your username.
Once that’s done, you should see a warning screen telling you not to proceed unless you scanned a log-in bar code at Google.com. If you have arrived at this page from Google.com, select either “Start with Gmail” or “Start with iGoogle” from the warning screen.
A few seconds later, the browser window on the PC should automatically redirect to your Gmail inbox. In my tests, you could use this process whether your smartphone was using a cellular data connection or the same Wi-Fi network as the PC.
A Word of Caution
While this new log-in method is fun to try and could come in very handy at times, this is not a foolproof method for keeping your log-in credentials safe. If you are using Google’s QR code method in an airport, consider using your 3G/4G connection to enter your password instead of the airport’s free, open Wi-Fi network. That way your activity won’t be grabbed by any malicious hackers using packet sniffers to grab Wi-Fi traffic. Google’s QR authentication does use an encrypted channel through HTTPS, but it’s safer to stay off Wi-Fi anyway.
Also, before scanning the QR code, make absolutely sure that the web address is secure and coming from google.com, and not something like go.ogle.com. If you don’t see a URL that has HTTPS, and “google.com” before the “/” slash then you are not on Google’s web page. It would be very easy for a motivated hacker to set up a fake Google QR code and subsequent log-in page to steal your credentials.
Finally, keep in mind that this is a good way to protect yourself against keylogging attacks, but motivated hackers can use many other tricks to try to steal your log-in credentials and get access to your account. They could, for example, use a man-in-the-middle attack where all data to and from the PC you’re using is intercepted by a third party.
In my tests, the password had to be entered on the smartphone every time in order to get authenticated on the PC. So, if someone steals your phone they may not be able to use your device to log in using the QR method.
Google’s new QR method is a fun way to get access to your Google account, but don’t forget to log out of your account once you’re done.
UPDATE: Shortly after PCWorld wrote about Google’s QR Code log in, the search giant decided to stop offering the feature, calling it an experiment. “We always work on improving authentication, and try out different things every now and then,” said Dirk Balfanz from Google’s security team. “We’re working on something that I believe is even better, and when that’s ready for a public trial we’ll let you know.”