QR Codes - An Alternative to Usernames and Passwords?
Whenever we hear the words "login page," our minds probably jump to an image of a Username and Password box with a Submit button. This is because, even though there are alternative means of user authentication, such as fingerprint scanning, the username and password combo is the most convenient and widely accepted security model by far.
However, in the past few years, a promising new security model has been developed - QR Codes! Now, QR Codes are mainly known to the public as a URL link - scan the code, and your smart phone will take you to a web page! However, several teams and organizations have developed a clever way to use QR Codes as an alternative to the standard username and password model. Instead of logging in using the traditional way, a user would simply scan a QR Code with his or her smart phone, and the website would safely, automatically identify the person who scanned in!
URL vs Username and Password. Which one wins?
However, in the past few years, a promising new security model has been developed - QR Codes! Now, QR Codes are mainly known to the public as a URL link - scan the code, and your smart phone will take you to a web page! However, several teams and organizations have developed a clever way to use QR Codes as an alternative to the standard username and password model. Instead of logging in using the traditional way, a user would simply scan a QR Code with his or her smart phone, and the website would safely, automatically identify the person who scanned in!
URL vs Username and Password. Which one wins?
So how does it work? The process is pretty complicated, but in a nutshell, it works like this. A Masterkey is a randomly generated 256-bit integer - that is, an extremely large number with basically zero chance of being reproduced. Each user gets his or her own unique Masterkey. Then, when the user clicks on a QR Code on a website (or scans the code with their smart phone), the website will perform some math using that user's Masterkey with the randomly generated QR Code. If the results of this math check out, the website can identify the user, and the user is logged in.
From the users' perspective, all they have to do is click on the QR Code, and they're in! No usernames, no passwords, no hassle!
You may be wondering, though, "How is this secure? If a hacker gets a hold of my Masterkey, I'm finished!" And, unfortunately, this is true. However, it is worth noting that this is also the case with Usernames and Passwords. The difference is that most people typically use "weak" passwords, which hackers are able to guess quickly by using tools. By comparison, Masterkeys are 256-bit integers - extremely large numbers which are nearly impossible to reverse-engineer through traditional password-cracking methods. If I understand the math from this page correctly, there is less than a 1 in 100 Trillion chance of a hacker successfully obtaining a user's Masterkey!
It is unlikely that Usernames and Passwords will be replaced by QR Code logins any time soon, but the research in this method is interesting and exciting! For more information, check out these pages for different QR Code developers.
No comments: