First of all: All modern malware/botnets steal session cookies in real time and then log in and perform any automated task they're programmed to. All you're protecting is a username/password which should be unique to the service anyway.
So basically you want one-time session tokens. This is only slightly secure if you do the "first" login on the phone, not on the desktop, since you don't trust the desktop. You can achieve one-time session tokens with an app on your phone that doesn't need network access, such as a one-time pad or some kind of HMAC token-generating app (display a token, user enters into app along with their secret key, a new token is generated, put into desktop login and poof, you have a secure one-time token). You can do that with QR codes to prevent from having to type stuff.
This could also be used for non web site logins with some work - I'm thinking of a PAM module that puts a QR code up on the login screen. This likely would be more work than it is worth. If it were done, logging in to a non-graphical system (e.g. ssh / console) would be an interesting challenge - theoretically, you could make ASCII-art QR codes. ;-)
As a more elaborate version, this could provide a challenge-response authentication where the QR code is the challenge, an Android/iPhone app does a crypto hash to sign the challenge and sends it to the home office to complete the authentication.
Unfortunately, webcams are not consistent WRT presence and access, otherwise the phone app could generate a signed QR code and send it back to the home office via the webcam. The primary advantage here would be if you did not have internet access via your cell phone, e.g. neither cell phone coverage nor a WiFi hotspot was available.
Great to see this discussion here. I'm the implementer of Animate Login, which is a similar, open source, QR Code authentication system. We're currently in discussions with the tiqr project (also open source) to see if it makes sense to combine the two systems:
I had this idea a few months back but didn't have any reason to develop it, I assume many others have done too and I would love to see it used. The basic use case for me was when I had an application that had a purpose when used mobile vs desktop (for me it was scanning labels of products) and a user had to be logged in via the desktop and phone. Glad to see a proof of concept, I hope this idea takes off, typing in my username and password on mobile devices drives me crazy. Sign in on website, have a QR code, scan with phone and be logged in to the website on the phone.
edit: nevermind, this is a different, more like finger print scanners than my idea. That teaches me to skim articles at first. Still a neat idea!
We're using QR tags at our office for the door locks sometimes.
People with 24/7 access get more robust RFID tags, but for time-sensitive access, we just generate their key & print out a QR code with it that they show the camera.
I don't have any info posted about the camera setup, but we're using a Windows laptop with some random QR reader (fastest one we found) to call the unlock URL on the Linux lock server sitting next to it w/the key from the QR code.
Source is over on GH, but it would be pretty straightforward to roll your own nice & quick. If you do want to use mine, I'd be totally willing to help hack in new features, I've got lots of stuff I want to improve it with, but just don't have the side project time.
I dig this concept, and using things like QR codes for none traditional uses.
I'd prefer to scan a QR code on a page then enter a capatcha. I think for things even simpler then logging in, QR codes could be a reasonable alternative to difficult web forms, id verification, etc.
It is at http://www.kirubakaran.com/passtrust/
It has email confirmation on creation of the account (first log in) but I've temporarily disabled it as I am making some changes.
I like this idea. I don't think QR codes are being used to their full potential.
The standard is definite for how to create QR codes, but I don't like how there are no written standards for how to pack the data (e.g. contacts, events, messages)
I've been working on something very similar for a while now, good to see all the positive feedback in the comments. I have a very alpha version at http://qrauth.com
That's what I thought. Implementing it without asking for extra info from the user might be troublesome if access to a phone's UDID is restricted (I think it is with Apple now?), and I'd imagine using a QR code as the second factor might be better for people who don't want to give a service their phone number or receive texts from it.
That all being said, and as interesting as it is, I'd be more interested in something that could use, say, push notifications (and Android intents specifically, unless there's an iPhone equivalent) as a smooth implementation of some sort of public key authentication.
When you activate two-factor authorization, the system can give you URL you have to visit on your phone. You then get your UID as a cookie that will serve as UDID.
Push notification would work as well as SMS, but you have to install app for that.
It would only work as a alternative (definitely a more convenient one) to something like Google's two factor auth app with one time passwords, not a complete replacement. If the phone was stolen, you'd need a way to get in and shut it off. Google's system lets you save a handful of codes for this case.
first of all why would I have to grab my phone, unlock it and run a code scanner if I already have my hands on the keyboard? it makes totally no sense.
qr codes are cool so you don't have to type adresses when you see a poster, billboard, etc. or a mobile link on a website
It's more useful to go the other way. Generate a QR code (with a url & certificate) on your smartphone, and scan that from a desktop to log in. Only problem is nobody is writing PC software anymore, so even finding decent QR code scanner software for a desktop computer is troublesome these days.
I disagree. Going that way you can use pretty much any device with web browser to log into. Desktop, laptop, iPad or even your fridge, if it has browser built in. Mac/Linux/Windows - it doesn't matter. There is need for any additional software, also no need for built-in webcam.
When you search for QR scanning software there are 45 options for iOS, and only 2 for MacOS one of which is an Air app and the other costs $30 and is proprietary and they both suck.
That says very little about whether people are still writing software for Windows and Macs in general and quite a lot about the use case of QR codes for mobile devices vs desktops.
So basically you want one-time session tokens. This is only slightly secure if you do the "first" login on the phone, not on the desktop, since you don't trust the desktop. You can achieve one-time session tokens with an app on your phone that doesn't need network access, such as a one-time pad or some kind of HMAC token-generating app (display a token, user enters into app along with their secret key, a new token is generated, put into desktop login and poof, you have a secure one-time token). You can do that with QR codes to prevent from having to type stuff.