QR codes have been around for 25 years, with mixed perspectives on them over time depending on who you ask and what they’re being used for. After marketers figured out that people generally don’t want to go through the trouble of scanning a QR code just to view advertisements, companies like Snap and Facebook found ways to make them cool enough that many people didn’t even realize that they were using them at all. Over time, some predicted the QR code would die, while others have noted that it has made a comeback. Recently, some companies started using them for authentication, but with different implementation methods and equally mixed results. Like many innovations, the QR code can be applied in many different ways, with both good and bad outcomes depending on the context and implementation method.
Not all authentication QR codes are created equal. The QR code is just a transport tool; it is how you use it that matters most. When used for authentication, the only thing a QR code should ever contain is a random authentication session identifier, which must not disclose any information to attackers.
Several services use a QR code as a 2nd factor (still not replacing the fundamentally flawed first factor) and many use the tool wrong and are poorly designed because they encode completely unnecessary data in QR codes.
First of all usernames and passwords are themselves the very root of the problem. Incorrect use of QR codes makes it even worse.
People’s usernames are most often their primary email address and are often publicly known or guessable. Detailed statistical analysis of compromised credentials found on the dark web shows that the majority of passwords are reused across multiple services. Companies like Google have noted that even when 2FA solutions are offered, less than 10% of their users ever turn them on and use them. Worse yet, the most common 2FA solutions involve SMS (which NIST recommends against), or other even less secure means like security questions.
We should stop relying on usernames and passwords. It is unreasonable to expect people to use a unique username and password combination for each account.
The new authentication should rely on a secret stored in a cryptographic device. Even if it is a smartphone, it is still way better than passwords. A dynamic authentication QR code is a perfect fit in this case. The only thing the authentication QR code should contain is a random authentication session identifier, which does not disclose any information to attackers. If more security is needed, we can use smart-card based authenticators (physical tokens).
When people assess authenticators which use QR codes, it is important to remember that not all implementations are equal. There’s huge potential for the QR code to solve the single biggest problem that exists in cybersecurity today -it just has to be implemented correctly. Just because some implementations are terrible doesn’t mean we should throw the baby out with the bathwater.
by Perry Chaffee