All the QR code needs to encode is a URL pointing to their authentication endpoint. If it's reasonably standardized, any password manager could implement it.
Login would be:
* scan QR code, sees https:/ /megacorp.com/login?session=hexhexhex
* Password manager asks that you want to log in with account X.
* Negotiates with auth service
* Website recieves your confirmed token via websocket
* You're logged in.
And, of course, if you don't have an account, the password manager can get you started creating one.
Which, to be fair, is close to how it works inside Apple's walled garden. Logging into iCloud on a new computer will cause the iPhone attached to that account to pop-up a "confirm login" dialog, so the second factor for login is as unobtrusive as possible.
No you still need a password, which also makes it insecure on a public computer (where keyloggers might be installed).
Instead, the better solution would be, you point your phone to a QR code on the computer screen, press “confirm”, the computer is magically logged in, until you then press “log out” on your phone and the computer is logged out.
The signature of the QR code would need to be accepted by your mobile, not the public computer. I don’t think mitm the QR code process is possible if they sign it. But if the public computer is compromised, anything you log into from that computer is accessible by the attacker anyway, as long as the session is valid.
That’s true regardless of the login method. The benefit of the method I described is that you can 100% log out without any MITM, as you initiate the logout from a trusted device
No idea. Presumably a push notification. Within less than a second providing your email (on fast US data) you get a prompt on your phone that shows the browser model and approx location and asks you to approve or disapprove the login.
They initially rolled it out as a 2FA option, then as an optional for 1FA.
Exactly. Google already asked for email alone and then password on the next page so that they could support sending enterprise emails to custom login systems.
Yeah, I actually like the way Microsoft and Google do it when it just displays notification or number on my phone. Recently I logged in to a new Windows 10 computer and I didn't even have to type a password anywhere.
Unfortunately I don't see the need to actually fill and type passwords going away any time soon.
I'm mostly complaining about having to either:
1) Install the password manager on a computer to fill in passwords. You end up typing the password manager's password into the computer which could compromise the entire database as well as give the computer other information about your accounts and website usage.
2) Otherwise you have a password manager on your phone. You have to view the password and type it into a keyboard. Typing complex passwords is a pain in the butt. It would be nice if the password manager on my phone could just somehow type it for me. Then the only thing that goes into the computer is the exact password I'm trying to use.
Oh hell that would be amazeballs if it's open source and worked on Windows, OSX, Linux, and could work with a 2FA device like Yubikey. I'd put $20 down for that in a heartbeat.
This seems to be the default for web apps here in China, such as Taobao or JD. Either the home page or the login page presents a QR code, and the mobile app has a scan icon.
I had high hopes for Clef, but unfortunately, it never got the traction it needed.
That would require each site to implement server-side components to talk to Clef, and most sites have been ice age slow to implement basic TOTP never mind yet another method.
Now, if the big existing OAuth sites, your Google, Facebook, Okta, etc implemented a QR code method like Clef then it might work.
The QR code would only contain a login challenge, the phone would complete the challenge. Of course that would mean the auth server must be publicly reachable or the phone must be in the same network.
