I’m a firm believer that the best camera is the one you have with you, a wise photography adage (and point of pride for iPhone enthusiasts). Likewise, I think the best personal password security should be no more than an arm’s length away, and that’s exactly what Google offered, until early this morning.
I wrote up about half a post last night extolling the virtues of Google’s unnamed security experiment. When you were using a computer other than your own to access Google, on which you might not have 100 percent certainty in the security, you could, instead of logging into Google directly, head to http://accounts.google.com/sesame. That page--note the URL, with its Ali-Baba-derived “Open Sesame” intonation--would show you only a big, blotchy QR code. Your job was to pull out your phone and scan it. Most newer Android phones come with Google Goggles pre-installed, and it’s very fast at finding and translating QR codes. But you could also use a dedicated Barcode Scanner app on Android, or on Apple devices, open up the “Apps” menu and access Goggles on Google’s Search app, or, again, use an iOS barcode scanner.
[ Free download: 3 things Google Apps needs to fix... like, NOW ]
Any which way you scan that splotchy square, it would then open up a page on your mobile device’s browser. You’d probably be logged in there, but if not, you could do so over your mobile data connection, which is likely less vulnerable at that exact time and place. After you verified through your phone, with a flash of impress-your-friends magic, the page with the QR code showing would load either Gmail or Google’s personalized start page, iGoogle. With nearly all of Google’s services offering secure, encrypted connections, you could happily swim about the internet while inside a substantial digital shark cage.
Apologies for the heavy-handed past tense, but Google pulled down the “Sesame” project some time last night, only a few days after it started spreading from an initial Google+ post, to Softpedia, Lifehacker, and beyond. Google left in Sesame’s place a message from the Google Security Team that the “phone-based login experiment” was concluded, but that we should “stay tuned for something even better.” We should all hope so. As more of the web moves toward mobile and encrypted connections, keystroke logging is something of a last frontier for those looking to steal passwords and make off with private data. Google still offers a two-step verification option that relies on a mobile app to verify log-ins on new systems, and you should definitely consider using it if your smartphone is always with you. But it’s better if nobody learns your password in the first place.
Let’s hope “Sesame” moves out of Google’s labs on an aggressive schedule.
Top photo and thumbnail by jared.