Can the QR code replace user names and passwords? Verizon Enterprise thinks so - at least for some companies looking at two-factor authentication.
Verizon Enterprise on Tuesday is launching QR codes as a two-factor authentication option in its universal identity service. What's unclear is how many companies will see the handy QR code as a way to help eradicate user names and passwords.
The telecom giant developed a QR code login that would allow a customer or employee to scan a QR code on a website with their smartphone without a user name or password. User names and passwords are a major security issue since few people use two-factor authentication and most passwords are reused across multiple sites. The QR code would get people into accounts without passwords.
How is this more secure? If someone steals your phone, they can get into your accounts just by running the app. It would be like an ATM card without a PIN.
The point of 2-factor authentication is that breaking one form of authentication doesn't allow the perpetrator into your account. If they steal your phone/card, they still need to know a password/PIN; if they discover your password, they still need your phone or card.
As Hollywood screenwriters delight in pointing out, using biometrics for access control is only as strong as the willingness of an attacker to maim someone for commercial gain, but biometrics "works" for most business uses.
The problem with biometrics is that they are inseparable from the person who has them: if I fire Alice, and hire Bob to replace her, I must reprogram all the fingerprint scanners for Bob's fingerprints.
"QR" codes are a compromise between the insecurity of passwords and the (admittedly relative) security of biometrics: the QR code can be removed from a "smart" phone remotely, so if Alice loses the phone, the code can be revoked in relatively short order. More to the point, it's the *OWNER* of the resource who gets to choose the code, so Alice
*CAN't* share use it in other places or for other purposes.
Of course, the phone is only as secure as an attacker's willingness to steal it, or the QR image, from Alice while it's unlocked.
This strikes me as one of those "Do *SOMETHING*" solutions: not a big improvement in real security, but enough to stop someone's boss from screeming.
That cuts both ways. I'm tempted to tell a joke about how a woman you approach in a bar might demand that you present your tatoo for scanning, but the more likely scenario is that a policeman will demand it so that he can tell if you're in the wrong neighborhood, or if you're a "person of interest" to the ruling class, or if you've visited any "communist sympathising" country, or if you're too well-educated to belief his threats, or if you or your relatives are wealthy enough to bail you out of jail or pay a fine.
It's a /very/ interesting and /very/ scary subject, and there are (serious, well thought-out) arguments for both views: I was told that Massachusetts drivers licenses won't be accepted as valid ID at airports in a couple of years. It seems that Bay State residents will be expected to present U.S. passports or other federal ID instead.
If I understand the issue correctly, this is because my home state has refused to participate in what amounts to the federal government's demand that drivers licenses be used as national ID cards: it seems that most voters are uncomfortable with the idea of having to carry a "U.S." ID card or passport all the time, so the feds are going through the back alley and demanding that states provide equivalent identity credentials that can be quickly scanned by any cop at any traffic stop, anywhere in the U.S.
If we're all to be tattooed with a bar code or QR code or whatever, at least we won't have to pay the Old Boys Club at Foggy Bottom hundreds of dollars for a passport every five or ten years. And, speaking for myself, I'd rather be able to board the commuter rail by scanning my arm than by having to buy yet-another-monthly pass: I'm not likely to forget my arm. ;-)
Well, it looks like I'm supposed to scan a QR code off of a (probably) LCD screen displaying a web site. I haven't had a lot of luck doing that reliably. In my experience, QR codes scan better if they are on paper or you are handing the image directly to a scanner program (no display/camera involved).
I guess if I want to access the web site via smartphone, I either need *two* smartphones, or one that can aim its camera at its own screen, or one where I can point the browser at an image it is displaying and ask it to scan the image for QR codes. I haven't seen that ability in many browsers. Installing browser extensions seems to be beyond many users.
Also, my smartphone isn't very good at decoding dense QR codes without multiple tries and very careful aiming. I'm not sure how much getting a phone with a better camera would help.
Weakness: no cell service, no login. Even if it's an employee trying to log into the server from someplace inside the data center (which tend to have terrible cell phone service due to shielding and extensive air conditioning ducts). It's not something you want to force the employees in charge of fixing cell phone service to use in order to do their jobs.
Weakness: if a business is using this to handle logins into its internal systems from inside its offices, this information is now going over the Internet (when previously it didn't). Even if it's encrypted, it's still exposed. Cutting off internal logins is now possible by cutting fiber possibly very far from the business. Even if it's assumed (correctly) that this cut is an attack in preparation for a (physical) robbery, narrowing down which business is the target may be difficult.
Factors: Something you know (e.g. usernames and passwords and PINs) Something you have (e.g. various cryptographic tokes, or an app programmed with individual information) Something you are (e.g. biometrics)
Unless there's something I'm missing, it seems if I can come up with a good excuse to borrow your phone, I'm in to your account. That's *one* factor: something you have. I'm not sure I like the idea of more and more reasons to steal cellphones.
It's unclear how you could handle one person having multiple accounts (e.g. personal, work, in his role as trustee of his church, and in his role as Girl Scout cookie drive chairman).
Something has to be done in order to tie your session (on, say, a tablet or desktop) with your login (on the smartphone). I guess that's what the contents of the QR code is for.