●Stories
●Firehose
●All
●Popular
●Polls
●Software
●Thought Leadership
Submit
●
Login
●or
●
Sign up
●Topics:
●Devices
●Build
●Entertainment
●Technology
●Open Source
●Science
●YRO
●Follow us:
●RSS
●Facebook
●LinkedIn
●Twitter
●
Youtube
●
Mastodon
●Bluesky
Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!
Forgot your password?
Close
This discussion has been archived.
No new comments can be posted.
Load All Comments
Full
Abbreviated
Hidden
/Sea
Score:
5
4
3
2
1
0
-1
More
Login
Forgot your password?
Close
Close
Log In/Create an Account
●
All
●
Insightful
●
Informative
●
Interesting
●
Funny
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
byregistrations_suck ( 1075251 ) writes:
Making life more of a pain in the ass, every god damned day. Thanks.
byOl Olsoc ( 1175323 ) writes:
Making life more of a pain in the ass, every god damned day. Thanks.
Because QR codes are perfect and secure. Or maybe not. https://www.techradar.com/QR-c... [techradar.com]
As soon as people get used to it, it's just another phishing attack vector
bycrunchy_one ( 1047426 ) writes:
Exactly the point I came here to make. Due to the security risks inherent in QR codes, I never, ever, scan them. I know I have other options, but seriously Google, do you really hate your customers so much that you will further normalize use of one of the more risky technologies out there.
byMachineShedFred ( 621896 ) writes:
If they issue you a pre-shared key in the form of a QR code that you save somewhere, how is that introducing any QR code risk? And the only thing that should ever ask for it would be a Google auth page which is pretty recognizeable.
This literally isn't any different from any other preshared secret, other than having a whole lot more entropy available because the secret length can be arbitrarily large without a useability problem of remembering a 128-character key.
Parent
twitter
facebook
byunrtst ( 777550 ) writes:
I think we're missing a piece of info critical to determining if this introduces risk, what type, and how much. How does this work?
Just going on TFS, it sounds like:
* you go to gmail
* ... enter user+pass
* gmail displays a QR code
* WTF do I do with a QR code displayed on my phone while trying to login to the gmail website on my phone?
* Or, lets say I was on my computer, and I can scan the QR with my phone. What does that prove? Does it prove I have _MY_ phone (the "something you have" in MFA)?
When they send
byDamnOregonian ( 963763 ) writes:
* WTF do I do with a QR code displayed on my phone while trying to login to the gmail website on my phone?
Actually a good question. I don't know if I've tried to use a QR for MFA on my phone.
* Or, lets say I was on my computer, and I can scan the QR with my phone. What does that prove? Does it prove I have _MY_ phone (the "something you have" in MFA)?
It proves the same thing that an SMS proves- that you have your phone.
The QR encodes some kind of OTP that only a person with access to the screen you're using has.
This is like an SMS, in effect, only the vulnerability domain is visibility of your screen, and not half the intelligence agencies in the world.
bytechno-vampire ( 666512 ) writes:
This is like an SMS, in effect, only the vulnerability domain is visibility of your screen, and not half the intelligence agencies in the world.
I'm long retired, and I hadn't worked anyplace that an intelligence agency would be interested in for at least thirty years when I retired. What I'd be concerned with is accidentally giving access to my personal accounts to the Mafia, the Russian Mob, one or another of the various drug cartels, the Yakuza or other nefarious organizations.
byDamnOregonian ( 963763 ) writes:
'm long retired, and I hadn't worked anyplace that an intelligence agency would be interested in for at least thirty years when I retired.
Absolutely. I should have fully articulated the reasoning here-
If every 3 letter agency in the world has it, it's because they've all broken into the networks. If they have, so have well-funded non-governmental people.
As we have recently learned, compromising our entire telecom network wasn't nearly as hard as anyone had hoped.
SMS is shuffled around in the clear.
It's not just "not secure", it's begging to be seen by anyone interested.
byunrtst ( 777550 ) writes:
* Or, lets say I was on my computer, and I can scan the QR with my phone. What does that prove? Does it prove I have _MY_ phone (the "something you have" in MFA)?
It proves the same thing that an SMS proves- that you have your phone.
The QR encodes some kind of OTP that only a person with access to the screen you're using has.
There must be more to it than that, because that's not possible. Assume you're a bad guy and you got someones username and password. You attempt to login to gmail with it, but it sends back a QR code. You can see that QR code - it's on your screen, the bad guy screen. In a challenge/response system, you'd so something with that value that would c
byDamnOregonian ( 963763 ) writes:
There must be more to it than that, because that's not possible.
There is- the phone you scan the QR code with must be pre-registered/authorized with them, either via an Authenticator app, or a passkey.
SMS works on the principal that it is only received by the owner of the phone number (set aside the bugs with it for a moment).
You can't set aside the "bugs" with it- that's the entire problem.
SMS is inherently insecure at every single layer.
A QR code would be displayed to the person attempting the login. Where's the linkage to it being a device that is yours (something you have; IE: 2FA)? If it actually send the OTP code via QR (I don't believe that's the case), then anyone in the world with your user+pass could login as you and they'd get the QR code and be on their way. How does it add a factor?
Explained above- you register the phone when you setup the MFA. Same as with SMS, when you give it the phone number.
byunrtst ( 777550 ) writes:
There must be more to it than that, because that's not possible.
There is- the phone you scan the QR code with must be pre-registered/authorized with them, either via an Authenticator app, or a passkey.
That's the important bit of the authentication (the local app handling the data from QR code), and there's no mention of how they plan to do it (on TFA, at least... I'm sure there's a doc out there somewhere). It also means what you said earlier is pretty much false (IE: "The QR encodes some kind of OTP that only a person with access to the screen you're using has"). What you're saying this time is that it is a challenge/response system. This makes it much more than just a QR code anyone can scan... the imp
byDamnOregonian ( 963763 ) writes:
That's the important bit of the authentication (the local app handling the data from QR code), and there's no mention of how they plan to do it (on TFA, at least... I'm sure there's a doc out there somewhere). It also means what you said earlier is pretty much false (IE: "The QR encodes some kind of OTP that only a person with access to the screen you're using has"). What you're saying this time is that it is a challenge/response system. This makes it much more than just a QR code anyone can scan... the important bit will be the client side app that does something with that and sends data back to Google.
Uh, lol.
No, it's not.
The fact that the phone is trusted to authenticate and the PC are trusted to authenticate are not enough, you need a way to be sure that they're working in concert- that's the OTP (or UUID, or any randomly generated URL, call it what you will).
Nobody ever said it was a "QR code that anyone can scan".
The QR code sets the association between the phone and the PC, just like a phone number does.
The fact that you have pointed out that you still need another factor on the phone, is poi
byhey00 ( 5046921 ) writes:
Yeah, it's fishy. With the current, albeit flawed system, the mfa is linked to the phone number.
I can change phone, I can lose it, I still have the phone number.
With this, it's tied to the phone itself. On top of increasing the risk of lockout in case of phone loss or theft, it will tie your account to your phone in a much tighter way, with all the privacy implications.
I use different google accounts, one for my phone and nothing else, one for my main email address, one for my junk address.
Can I use my phon
bySomePoorSchmuck ( 183775 ) writes:
It proves the same thing that an SMS proves- that you have your phone.
Any reasonably modern phone could be used to scan a QR code to visit a web page. Unless you have to scan the QR code using an already authenticated Google app it only proves that you have *A* phone.
Knowing how much Google loves to hoover up PII and location tracking info this is likely the missing piece of the puzzle.
This was my first thought -- a further way for the techlords to continue their push to eliminate the Web and get the entire global herd inside the handheld app fences.
●your current threshold.
There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.
Slashdot
●
●
Submit Story
It is much harder to find a job than to keep one.
●FAQ
●Story Archive
●Hall of Fame
●Advertising
●Terms
●Privacy Statement
●About
●Feedback
●Mobile View
●Blog
Do Not Sell or Share My Personal Information
Copyright © 2026 Slashdot Media. All Rights Reserved.
×
Close
Working...
Working...