You probably saw my previous post about using QR codes as part of an authentication scheme.  I call it “Instant Authentication.”  The idea is fairly simple: scan a QR code from a login screen with your smartphone and then use your smartphone as an authentication device.  Once authorized, Instant Authentication “unlocks” the original login screen by using some websocket goodness.

My intent was to work on a full, two-factor authentication application for my smartphone in support of this scheme.  I decided, however, to take an intermediate step by just using the smartphone’s browser as a simple challenge/response device.  Not two-factor authentication compliant, but still safer and easier to use than a regular username/password.  

Here’s the workflow:

1. You arrive at a login screen of a web site.  It contains an “Instant Authentication” QR code.
2. You scan the QR code with your smartphone, which opens an “authorization” page on your phone.
3. If you have authenticated with the service before, it simply sets a session cookie on your phone, which is transferred to the computer’s login screen via websockets.  Otherwise, it asks for credentials and then repeats step 3.
4. Voila!  You have “logged-in” to a web site by just clicking on a QR code.

Benefits:

1. Easy to use:  Just snap a picture and you’re in.
2. More secure:  You do not need to type your username/password into the login screen.
3. Fast: The QR scan and websockets are fast, fast, fast
4. Fun:  Your users will love using QR codes.

I have a new proof of concept posted here: http://goo.gl/WPfp  It may not be 100% clear what you are seeing, but once you authenticate, check your browser’s cookies and you will see that cookie has been set for instantauthentication.davidcarns.com.

One of the coolest things about Instant Authentication is that it can be delivered as a javascript plugin to your existing website.  It only requires adding a line of javascript to your login page and authentication page. Simple, fast and more secure.

What do you think?