An interesting article was posted to HackerNews called ”Logging in with QR Codes”. It descibes a way of logging into a site from a non-secure (or at least untrusted PC such as one from a cybercafe) without having to enter your password. Instead the system presents you with a QR code which you scan into your (pre-authorised) trusted device. The QR codes are used as one-time session tokens for the login.

There are several similar projects:

• Tiqr
• nomopass
• kirubakaran

Personally I think this idea is pretty neat, but I can’t help thinking that it is less secure than the more popular multi-authentication schemes already out there such as Google Authenticator or RSA SecurID. Whilst these mechanisms generally still require you to enter your password the hardware component provides the one-time pad/session component. Unlike the QR code solution, if the RSA token is stolen, your account can’t simply be accessed as you still require your password.

I wonder if there are any other applications for this type of authentication scheme though…