You have an app with a private key.
The qr code contains data encrypted with the corresponding public key. Your app decrypts the data and transmits it to googles servers, proving you are in possession of the secret key.
The real reason is that they want to save money on the text messages (outside of the US they need to pay $0.05 each time), not because they actually care about user security.
Like when xitter ran out of money and didn’t pay their sms bills and people were locked out of their accounts
Also, it’s dead simple to send someone else (or tell them over the phone) 6 numbers, when you’re being phished. Much harder for people to send someone a QR code.
Sadly the article is very light on how this actually works. I’m guessing it involves setting up an authenticator on the phone (something they encourage anyway) and just using a QR code as a new way of interacting with it?
Qrs don’t seem safe to me
Scanning a Qr allows the installation of malware apps so I can look at a restaurant menu, & ding my card for recurring charges?
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !technology@beehaw.org
A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.
Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.
I’m confused about how this is supposed to act as a second authentication factor 🤔
A guess/suggestion:
You have an app with a private key. The qr code contains data encrypted with the corresponding public key. Your app decrypts the data and transmits it to googles servers, proving you are in possession of the secret key.
oh so it would just be app-based MFA but without using TOTP. That makes sense
The real reason is that they want to save money on the text messages (outside of the US they need to pay $0.05 each time), not because they actually care about user security.
Like when xitter ran out of money and didn’t pay their sms bills and people were locked out of their accounts
i mean, it’s also a security issue. sms is plaintext all the way from them to you.
Also, it’s dead simple to send someone else (or tell them over the phone) 6 numbers, when you’re being phished. Much harder for people to send someone a QR code.
Sadly the article is very light on how this actually works. I’m guessing it involves setting up an authenticator on the phone (something they encourage anyway) and just using a QR code as a new way of interacting with it?
How am I supposed to scan a QR code sent to my phone… with my phone?
On Android you can use Google Lens or, if you don’t want to use Google products, any random QR code scanner app.
No idea about iPhone as I’ve never owned one, but I’d assume most QR code scanners can do that there as well.
Qrs don’t seem safe to me
Scanning a Qr allows the installation of malware apps so I can look at a restaurant menu, & ding my card for recurring charges?
The devil’s in the details. And there aren’t much details in this article.