Show HN: Logging in with QR codes (proof of concept)

First of all: All modern malware/botnets steal session cookies in real time and then log in and perform any automated task they're programmed to. All you're protecting is a username/password which should be unique to the service anyway.<p>So basically you want one-time session tokens. This is only slightly secure if you do the "first" login on the phone, not on the desktop, since you don't trust the desktop. You can achieve one-time session tokens with an app on your phone that doesn't need network access, such as a one-time pad or some kind of HMAC token-generating app (display a token, user enters into app along with their secret key, a new token is generated, put into desktop login and poof, you have a secure one-time token). You can do that with QR codes to prevent from having to type stuff.

This could also be used for non web site logins with some work - I'm thinking of a PAM module that puts a QR code up on the login screen. This likely would be more work than it is worth. If it were done, logging in to a non-graphical system (e.g. ssh / console) would be an interesting challenge - theoretically, you could make ASCII-art QR codes. ;-)<p>As a more elaborate version, this could provide a challenge-response authentication where the QR code is the challenge, an Android/iPhone app does a crypto hash to sign the challenge and sends it to the home office to complete the authentication.<p>Unfortunately, webcams are not consistent WRT presence and access, otherwise the phone app could generate a signed QR code and send it back to the home office via the webcam. The primary advantage here would be if you did not have internet access via your cell phone, e.g. neither cell phone coverage nor a WiFi hotspot was available.

Great to see this discussion here. I'm the implementer of Animate Login, which is a similar, open source, QR Code authentication system. We're currently in discussions with the tiqr project (also open source) to see if it makes sense to combine the two systems:<p><a href="http://animate-innovations.com/content/animate-login" rel="nofollow">http://animate-innovations.com/content/animate-login</a><p><a href="https://tiqr.org/" rel="nofollow">https://tiqr.org/</a><p>We're very open to getting help &#38; feedback!<p>peace,<p><pre><code> isaac &#60;ijones@syntaxpolice.org&#62;</code></pre>

There's an open source project called 'tiqr' which uses QR, combined with a PIN code, to log you in: <a href="https://tiqr.org/" rel="nofollow">https://tiqr.org/</a>

I've seen at least three independent implementations of this idea.<p>One is called Snap2Pass: <a href="http://prpl.stanford.edu/papers/soups10j.pdf" rel="nofollow">http://prpl.stanford.edu/papers/soups10j.pdf</a> <a href="http://www.youtube.com/watch?v=-9QOcDV4VZI" rel="nofollow">http://www.youtube.com/watch?v=-9QOcDV4VZI</a><p>Here's one called Animate Login with source code: <a href="http://animate-innovations.com/content/animate-login" rel="nofollow">http://animate-innovations.com/content/animate-login</a>

I had this idea a few months back but didn't have any reason to develop it, I assume many others have done too and I would love to see it used. The basic use case for me was when I had an application that had a purpose when used mobile vs desktop (for me it was scanning labels of products) and a user had to be logged in via the desktop <i>and</i> phone. Glad to see a proof of concept, I hope this idea takes off, typing in my username and password on mobile devices drives me crazy. Sign in on website, have a QR code, scan with phone and be logged in to the website on the phone.<p>edit: nevermind, this is a different, more like finger print scanners than my idea. That teaches me to skim articles at first. Still a neat idea!

We're using QR tags at our office for the door locks sometimes. People with 24/7 access get more robust RFID tags, but for time-sensitive access, we just generate their key &#38; print out a QR code with it that they show the camera.

I dig this concept, and using things like QR codes for none traditional uses.<p>I'd prefer to scan a QR code on a page then enter a capatcha. I think for things even simpler then logging in, QR codes could be a reasonable alternative to difficult web forms, id verification, etc.

Paging kirubakran! He built a PoC with this exact same concept, but it is a chrome extension.

I like this idea. I don't think QR codes are being used to their full potential.<p>The standard is definite for how to create QR codes, but I don't like how there are no written standards for how to pack the data (e.g. contacts, events, messages)

I've been working on something very similar for a while now, good to see all the positive feedback in the comments. I have a very alpha version at <a href="http://qrauth.com" rel="nofollow">http://qrauth.com</a>

Actually it's even more interesting for two-factor authorization.

I like this concept and love what you showed using it. I just have no real practical use for it at the moment. Would love to see it being used though.

I don't understand this obsession with QR codes. Why not just generate a short code and have the user type it in.

Here's another way to use dynamic QR codes -- digital wallet:<p><a href="http://s3qr.com" rel="nofollow">http://s3qr.com</a>

So you implemented OpenID using a phone instead of the third-party identity provider's web site?

What a fun idea. Might as well add a Twilio-powered SMS login as well?

Couldn't it be implemented as an Open ID provider?

So it's like Google Authenticator with qr codes?

brilliant thought!

It's more useful to go the other way. Generate a QR code (with a url &#38; certificate) on your smartphone, and scan that from a desktop to log in. Only problem is nobody is writing PC software anymore, so even finding decent QR code scanner software for a desktop computer is troublesome these days.

Now that's a very interesting concept!