Except for the 'revocation code' briefly mentioned on their FAQ page[0], this is likely just the same authentication scheme offered by Clef[1], with all the same inherent weaknesses.<p>The biggest weakness in these schemes is the inherent potential for a MITM to display the QR or bar code (I still don't think Clef actually displays what site you're logging in to on your phone, and even if they do it's vulnerable to visually similar URLs). The bottom line is the lack of authentication between the phone and the browser.<p>The on-device encryption is also useless because the key is such a short PIN.<p>[0] <a href="http://www.capturein.com/FAQ.html" rel="nofollow">http://www.capturein.com/FAQ.html</a>
[1] <a href="https://getclef.com/" rel="nofollow">https://getclef.com/</a>