[edlea]

If you're on an untrusted computer, the network is by definition also untrusted.

What happens if the computer has a hacker's self-signed certificate for https://accounts.google.com installed and the hacker sets up a man-in-the-middle style attack?

The hacker's browser asks Google for a QR code and it gets sent to your browser. When you scan the code and authorise from your phone, the hacker's browser would be logged into your Google account.

[mike-cardwell]

This is supposed to secure you on an untrusted computer. It doesn't. There are loads of attacks still. The moment you log in, the attacker has access to your account because they control the browser you're using.

What it protects against is basic key logging attacks (software and hardware). These are the most likely attack you can expect to see, so protecting against them has real life value.

The safest thing you can do is never use an untrusted machine to access important accounts.

[baddox]

It protects against exactly one more type of vulnerability than the normal login method, so it's still better.