Google has been trialling a new secure login that uses a QR code to verify the user’s identity.

The authentification tool was an experiment to find a new way of securely logging into Gmail on a public computer.

Some users that tried to login on a public computer were asked to scan the QR code using their smartphone, which then directed them to another login page.

After signing in on their phone users were then routed to their Gmail account on the desktop computer.

Google software engineer Dirk Balfanz confirmed the experiment, which has now finished, on Google+ and said a different authentification process was also in the works.

Google only recently launched its 2-step verification process; an optional service that sends the user an additional code to their mobile after they have entered their Gmail username and password.

The QR code verification process works in a similar way as it requires the user to have their mobile phone to be able to login, but it is slightly more advanced since the user must have a smartphone rather than a normal mobile.

Mobile web consultant Terence Eden said the QR experiment is another example of mobile becoming the ‘key’ that unlocks our online world.

Having a separate communications channel also helps prevent man-in-the-middle attacks - your laptop may be on insecure wifi but your phone will be on a secure 3G signal.”

However he said although this trial is being run by Google, it is unlikely to be the catalyst for a wider take-up of QR codes.

I think we will need better education for users before this can take off. It's not very common to use two factor authentication for most people - that's the biggest challenge rather than the specific implementation.”

There have been several high profile uses of QR codes recently – not all of them well planned – but data on the number of scans is rarely published.

A TfL poster campaign achieved 4,500 clicks, roughly 70 per day, since going live in November, but as there are few similar data sets available it is difficult to benchmark against other campaigns.

David Moth

Published 18 January, 2012 by David Moth

David Moth is Editor and Head of Social at Econsultancy. You can follow him on Twitter or connect via LinkedIn

1719 more posts from this author

You might be interested in

Comments (2)


Andrew Liddell, Ecommerce Business MGR at Essential Nails

Interesting that you need a smart phone! Its a security/tracking authentication method that many people will be un aware of.

over 6 years ago


Scott Goldman

ANY form of 2FA is better than none. Google's effort to bring the mainstream into authentication here is laudable but, in my opinion, flawed. This is a convoluted process that requires multiple steps, a smartphone (shockingly, half of all phones in the US are still standard "feature" phones) to read the QR code and some agility to read the code properly.

The flaw is based on the fact that in a battle between security and convenience, convenience wins. If users are forced into multiple steps to complete they'll simply turn that option off or go elsewhere.

A 2FA method that is more secure uses a cell phone and text messaging but displays an alphanumeric code on the web page instead of a QR code and simply has the user text in the code from the cell phone which has been pre-registered and associated with that ID and password. When this approach is taken there is no open field on the web page to be hacked and the cell phone cannot be spoofed due to the UDID requirements and check at the carrier level.

It seems unlikely that any of Google's QR code process is as simple to the user as just sending an SMS from their phone. Simple, fast and less hackable than other available methods.

Finally, while this method is possible for a company with Google's resources it doesn't allow for downward scalability for smaller businesses. Implementation of security measures for SMEs is a hurdle to most methods. There's no conceivable way that Google's method could be transportable to smaller companies with any ease.

Scott Goldman
CEO - TextPower, Inc.

over 6 years ago

Save or Cancel

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.