If you ever want to log into your Google account when you’re at a public computer, where you’re unsure whether or not there’s a keylogger installed, there’s now a simple solution. And it’s from Google!
First, point the (insecure) computer’s browser at accounts.google.com/sesame. Now pull out your Android, iPhone, or other smartphone, open any app capable of reading QR codes (Google Goggles is a fine choice, for example) and take a shot of the QR code that generated at
accounts.google.com/sesame. When your phone’s browser (which will need to be signed into your Google account) visits the URL encoded in the QR code, that will signal to Google’s servers that you’re at this computer, and the browser of questionable security will automatically log you into your Google account without any typing on your part.
Of course, you’re going to have to be logged into your Google account on your phone, but theoretically your phone is secure, while the terminal you’re at is not. Also, make sure to log off when you’re done!
UPDATE: Google has, for the time being, at least, discontinued this service. The Sesame URL now displays the following message:
Hi there – thanks for your interest in our phone-based login experiment.
While we have concluded this particular experiment, we constantly experiment with new and more secure authentication mechanisms.
Stay tuned for something even better!
Dirk Balfanz, Google Security Team.