SiliconFilter

Google: That QR Login Page is Just an Experiment, “We’re Already Working on Something Better”

/

A nifty little undisclosed Google service made the rounds on the Internet today. By going to a specific website, Google would give you a QR code to scan on your phone and then let you log in to a desktop Gmail session without having to actually type your login credentials on the computer. Google had never announced this service officially. Now it's clear why. According to Google's Dirk Balfanz, a member of the company's security team, this was just an experiment and, says Balfanz, will likely go away at some point.

"We're Already Working on Something Better"

Google is, he says, always working "on improving authentication, and try out different things every now and then. We're working on something that I believe is even better, and when that's ready for a public trial we'll let you know."

Google has now also updated the login page with virtually the same message. As Balfanz notes on Google+, the team doesn't want people to start relying on an unsupported feature.

The web, of course, lit up earlier today when this service first appeared, thanks to a Google+ post by a non-Google programmer who stumbled upon the feature by coincidence. It's not often, after all, that somebody discovers an unannounced Google feature on the public web.

The interest in this service shows, though, that there is clearly a market for this, which will hopefully motivate Google to launch an official product with similar functionality in the near future.

Google smartphone message experiment



10:19 pm


Open Sesame: A Safer Way to Log In To Your Google Accounts

/

Google has introduced an interesting new way for logging into your Google accounts by just scanning a QR code on the screen and without having to actually type your password into a computer. To use this new feature, just head over to https://accounts.google.com/sesame and a QR code will appear on your screen. Scan the barcode on your phone (you can use any app that can read QR codes for this, including the popular RedLaser app on the iPhone or Google's own apps).

This new log-in mechanism will be especially useful when you are using a public computer where you can't be sure that somebody hasn't installed a keylogger or a similar device.

Gmail login phone

The feature was first described by Walter Chang on Google+, though it's possible that this tool has been available for longer.

How it Works

Here is how it works: Google presents you with a one-time use barcode on the screen. You scan the code and your mobile scanner app will recognize that it's a link and take you to your mobile browser. Google will then ask you to type in your password on your phone and to confirm that you really want to log in on the computer, too. Once confirmed, your desktop browser will receive notice from Google that you are good to go and open a Gmail session for you.

Caveats

Now, obviously, as the good folks on HackerNews point out, if you are on a computer you don't fully trust, you can never be 100% sure that whoever installed a keylogger on the machine isn't also doing other nefarious things while you are logged in.

Still, this is definitely safer than just typing your password on a computer that isn't yours and may even add some extra security for those who sometimes have to work on unsecured WiFi networks as well.

Enhanced by Zemanta


10:26 am


Mozilla Launches BrowserID: A Decentralized Alternative to Facebook Connect

/

Now that most of us regularly use dozens of sites on the Internet that all ask us to remember different login credentials, having a secure way to use a single login and password for all of these sites becomes more and more important (especially given that using the same password for every site – as many people do – is never a good idea). Thanks to OpenID, Facebook Connect and similar solutions, signing in to sites that support those protocols is now a lot easier than it used to be. OpenID, however, never quite caught on with users and using Facebook Connect means that a lot of your identity information is also made available to the sites you want to sign in to. Now, Mozilla, the organization behind the popular Firefox browser, is launching BrowserID, a decentralized protocol that, according to Mozilla’s announcement, will make it easy for users to sign in to websites with their existing email addresses and doesn’t suffer from “lock-in, reliability issues, and data privacy concerns.”

browser_id_demoWith BrowserID, users will be able to use any existing email address to verify their identity to websites that implement this system. To do so, the system users the Verified Email Protocol. Mozilla also stresses that BrowserID “does not leak information back to any server (not even to the BrowserID servers) about which sites a user visits” and provides  “a safer and easier way to sign in.” You can find more detailed information about how BrowserID works here.

How it Works

Basically, this allows you to use your existing email address (so you don’t have to sign up for yet another service) to sign in to a website with just one click (after you have authenticated your browser once before).  To see how this works, head over to this demo site and click on the blue “Sign in” button or watch the following video, which includes a step-by-step demo of the service.

Mozilla currently hosts a BrowserID server for developers, but, as Mozilla’s Matt Brubeck notes on a discussion on Hacker News, any site can independently implement the protocol as well.

Not Just for Firefox

It’s worth noting that BrowserID isn’t tied to any specific browser vendor and works just as well in Firefox as Internet Explorer and Chrome. It also doesn’t have to be specifically supported by your email provider, though according to Mozilla, those providers that do support it will be able to provide “a better experience and more control if they do.”

In the future, as browsers implement this feature natively, you won’t have to sign up for a specific service anymore – browserid.org is really just a temporary construct for now. It’s also worth noting that Mozilla hopes to work with other identity providers like Facebook, Google and Twitter to standardize this protocol.



9:26 pm