The Interest

QR codes seem like they should be so useful. Two dimensional bar codes for the masses, QR codes can store lots of data in a small space. For example, they can represent URLs, vCards, package contents, etc. But to date, QR codes have been used as nothing more than ad tracking services and URL hyperlinks, thus relegating their popularity to the realm of the :CueCat in the 90’s. 

The Ah-Ha

Still, I am enamored of the QR code. It is so cool, that surely it has potential to be something more than it currently is - so I kept thinking. That’s when I realized the QR codes do not have to represent data, but can also represent actions. Order something off a menu, request more paper in the copy center or purchase more trips on your Metrocard. Yes, QR codes can be a point and click link to an action you want to take, thus bringing technology to static objects via that which you already bring with you (camera enabled smartphones and tablets). So maybe QR codes aren’t so boring after all. 

The New Hook

And that led me to using QR codes for Two-factor authentication (T-FA). Let me explain. T-FA is the concept of logging into a system without just a username and password, but some other form of proof of identity. The “motto” of T-FA is “Something you know, something you have and something you are: pick any two.” The best known implementation of T-FA is RSA’s key fobs, which you have to carry with you (something you have) in order to enter the constantly changing digits on the fobs along with your username and password (something you know). 

The Idea

So my idea is this. Use QR codes on websites as a onetime code you must scan with an app on your  smarphone that has already been authenticated/initialized with your web app. Scanning the QR code with your smartphone (something you have) prompts you to enter a pin (something you know) and the QR code will “unlock” the website without the need to type in your full username and password. Add some modern web magic (like websockets via the backward compatible Socket.io) and you have QR code scanning that unlocks your website instantaneously.  It is Instant Authentication.

*** If you are interested in seeing partial proof of concept code in action, go to this URL: http://goo.gl/6azG. ***

What do you think?  Is this something worth pushing forward? Does it solve problems, or just introduce new ones? I would love to hear your thoughts.