The idea is to let users maintain a portable database of very strong passwords. Since the credentials are transfered when the QR code is scanned the user doesn't need to remember or enter a complex password. It also eliminates worries about keyloggers since no information is typed.
It's gotten to the point that the average person needs to remember dozens of passwords for various sites. You can't use the same password for everything because one could be hacked, compromising all of them, and even if that's not an issue, every site has different password strength requirements. This approach lets you use a very complex password for each site without making you memorize it. I just wish there were an Android version.
That's great to hear! Let me know if you need someone to test with android. My wife was excited when I told her about the app...her current solution is a big Google doc with all of her important passwords!
what bit talks to the browser? Don't websites need to be "QRAuth" enabled? Have I just asked one of those questions which is "funny you should ask that..." ?
There's a browser extension (Chrome/Safari/FF) that does the hookup. Basically it talks to our server to request a QR Code. When the code is scanned, the users credentials are encrypted on the phone, sent to our server which passes them along to the browser extension.
I do have a version that doesn't require the browser extension, but that does require the website to add some javascript and do some backend work to enable it.
How is this better than something like 1Password? The only difference seems to be that instead of entering my master password in the browser extension, it's on my phone and I have to do extra work to log into the web site... I don't see any real security advantage, and the UX is much worse. Maybe I am missing something though.
As others said, I'd love to see an android version. However, before I use it for my important Web service accounts, I'd like the ability to encrypt my passwords both on the phone app and the browser plugin with a key known only to me so I don't have to trust your service with my cleartext passwords.
I was working on this when google tested that feature. I actually started the project as a 2 factor authentication system but scaled it back to this version of the initial release at least. There's a chicken/egg problem with getting websites to adopt without needing the browser plugin.
I like your password idea, its a nice feature. I'll add it to my idea list. Thanks for the feedback!
I just tried it out. Works quite well! I think this is pretty damn cool.
Feature requests:
- The ability to add sites to the db using the extension (unless I missed this). Typing on the iphone's a pain vs typing on my laptop.
- A way to quickly copy the credential data from the iOS app so it can be used in other iOS apps.
- A password auto-generator.
- Dropbox support. That way this could sync up and work across platforms, and wouldn't require me to trust you with my precious data. (I'm already trusting dropbox, for better or worse, but at least there I can ensure it's encrypted)
There is support for iCloud which tries to sync the database between phones. I've found iCloud syncing of databases to be slow in my testing, but it does seem to do it eventually. Speed probably isn't a big issue for day to day use, but it made testing the sync feature frustrating.
13 comments
[ 2.9 ms ] story [ 54.5 ms ] threadI do have a version that doesn't require the browser extension, but that does require the website to add some javascript and do some backend work to enable it.
I also see an advantage of not needing to constantly type in a master password, which can be seen by anyone standing around me.
http://www.readwriteweb.com/archives/google_launches_qr_code...
As others said, I'd love to see an android version. However, before I use it for my important Web service accounts, I'd like the ability to encrypt my passwords both on the phone app and the browser plugin with a key known only to me so I don't have to trust your service with my cleartext passwords.
I like your password idea, its a nice feature. I'll add it to my idea list. Thanks for the feedback!
Feature requests:
- The ability to add sites to the db using the extension (unless I missed this). Typing on the iphone's a pain vs typing on my laptop.
- A way to quickly copy the credential data from the iOS app so it can be used in other iOS apps.
- A password auto-generator.
- Dropbox support. That way this could sync up and work across platforms, and wouldn't require me to trust you with my precious data. (I'm already trusting dropbox, for better or worse, but at least there I can ensure it's encrypted)
There is support for iCloud which tries to sync the database between phones. I've found iCloud syncing of databases to be slow in my testing, but it does seem to do it eventually. Speed probably isn't a big issue for day to day use, but it made testing the sync feature frustrating.