Not all QR codes are created equal
by Perry Chaffee, on Mon 04 February 2019
QR codes have been around for 25 years, with mixed perspectives on them over time depending on who you ask and what they’re being used for. After marketers figured out that people generally don’t want to go through the trouble of scanning a QR code just to view advertisements, companies like Snap and Facebook found ways to make them cool enough that many people didn’t even realize that they were using them at all. Over time, some predicted the QR code would die, while others have noted that it has made a comeback. Recently, some companies started using them for authentication, but with different implementation methods and equally mixed results. Like many innovations, the QR code can be applied in many different ways, with both good and bad outcomes depending on the context and implementation method.
Not all QR codes are created equal. The QR code is just a transport tool; it is how you use it that matters most. The only thing a QR code should ever contain is a random authentication session identifier, which must not disclose any information to attackers.
Services like you describe use the tool wrong and are poorly designed because they encode completely unnecessary data in QR codes. Those who created them are not concerned about end-user security and privacy -which implies that they are not qualified for their jobs. Moreover, most services trying to improve their obsolete security go in the wrong direction, starting with usernames & passwords then adding additional factors. Usernames and passwords are themselves the very root of the problem. As you highlight, incorrect use of QR codes makes it worse. However, it is important to recognize that correct use of QR codes eliminates the problem completely.
People’s usernames are most often their primary email address and are often publicly known or guessable. Detailed statistical analysis of compromised credentials found on the dark web shows that the majority of passwords are reused across multiple services. Companies like Google have noted that even when 2FA solutions are offered, less than 10% of their users ever turn them on and use them. Worse yet, the most common 2FA solutions involve SMS (which NIST recommends against), or other even less secure means like security questions.
We should stop relying on Human Readable Credentials (HRC) altogether. We cannot fix usernames and passwords. It is unreasonable to expect the people to use a unique username and password combination for each account. The new authentication should rely on a secret stored in a cryptographic device. Even if it is a smartphone, it is still way better than passwords. The QR code is a perfect fit in this case, and I could share an example if you’re interested. The only thing the QR code should contain is a random authentication session identifier, which does not disclose any information to attackers. If more security is needed, we can use smart-card based authenticators.
When people assess authenticators which use QR codes, it is important to remember that not all implementations are equal. There’s huge potential for the QR code to solve the single biggest problem that exists in cybersecurity today -it just has to be implemented correctly. Just because some implementations are terrible doesn’t mean we should throw the baby out with the bathwater. If we do, billions of people will be indefinitely stuck using usernames and passwords coupled with unsecure 2FA methods which add friction to the UX to frustrated users with the illusion of security and solutions which are actually secure (and convenient) and which correctly use tools like QR codes will be misunderstood and under-utilized.