Authorization via QR
Greetings to you, dear reader.
Somehow the idea came to me - to enter the site using a QR code. A web search gave several results:
')
In early 2012, a similar experiment was even with Google (for two-factor authentication), but it did not stick.
All these are complex, tricky client-server implementations, and they are, of course, very cool. And here is the key moment of myyet another genius idea:
And yes, this can be applied not only on the web, but also in anyincomprehensible situations when you need to enter your login / password / something from the keyboard, and you have a camera and a QR code.
Probably the idea sounds silly. She is too simple. But let me tell you why she has the right to life.
You do not need this if:
The main advantage is that there is no manual input. The password entry speed in this way is ~ 1 second for any valid password length
The attractiveness of this method of authorization becomes noticeable in cases where:
You can, of course, use fingerprints, USB tokens, one-time passwords, -NFC-tags, but for all this you need * server modification * or client hardware modifications, etc. In the case of reading the QR-code, it directly gets into the server's input fields all the same username and password. The camera and the modern browser are on most modern laptops / tablets / PCs.
Where it can be used:
- There are many applications that store passwords in a database protected by a master password. It's great, but these applications show you the password as text and you need to type it in with your hands. You can display the saved password as a QR code.
- QR code can be laid out with black pearls on a platinum plate; print on a piece of paper / plastic / and attach it as a stylish key chain / bundle of key rings
- QR-code can be generated when registering somewhere, and your application-password manager considers it and saves
- you can generate quite complex one-time passwords and encode them into QR. For example, for the same two-factor authorization
Since not very strong in javascript, then to test the concept, I pulled the scripts that perform the task of reading the code from the camera from webqr.com (thanks to them) and slightly modified them. You can see here .
Undisputed and the main advantage of classic passwords - they are stored in the head and are typed by hand. The main danger of the method described above is that your QR codes have become available to the attacker. But if you, like my dad, store all the passwords in the file “My passwords.doc” on the desktop, then the qr-codes even over> zhna-not read their eyes.
Thanks for attention. I look forward to critical comments pointing to the fatal flaws of the method. Or admiring exclamations - “How could I not think of it myself!”?
Somehow the idea came to me - to enter the site using a QR code. A web search gave several results:
- SQRL
- and others - have already conducted a search here, so I will not rewrite)
')
In early 2012, a similar experiment was even with Google (for two-factor authentication), but it did not stick.
All these are complex, tricky client-server implementations, and they are, of course, very cool. And here is the key moment of my
The user enters the site in a modern browser (where the camera and camera are supported) and brings the QR code to the device camera. And the code is encoded ... right! - login data (a pair of login-password) ... just like that, in unencrypted form, in plain text. The code is read on the client side by javascript, the data is inserted into the form by the same javascript, the authorization form is sent by javascript. By and large, you can use other types of bar codes, but QR, I think, is the most popular (widely distributed) for similar tasks.
And yes, this can be applied not only on the web, but also in any
Probably the idea sounds silly. She is too simple. But let me tell you why she has the right to life.
Who does not need it
You do not need this if:
- your login is "login" and password is "password" / "qwerty" / "12345" and you use them on Odnoklassnkah, VKontakte and generally everywhere
- you always use the Internet from one computer and all logins / passwords for all resources you have saved in your browser
- you are not interested
Advantages over manual input
The main advantage is that there is no manual input. The password entry speed in this way is ~ 1 second for any valid password length
The attractiveness of this method of authorization becomes noticeable in cases where:
- you are paranoid and use different passwords (and maybe logins) for VKontakte, Odnoklassniki, Twitter, Google, Yandex, Mail.ru, StackOverflow and 50 other resources
- You have 2-3 VERY secure passwords longer than 30 characters and need to be entered frequently.
- You came to a friend and want to enter the site * enter the name of the site *, and have a friend en.wikipedia.org/wiki/Das_Keyboard
- you often have to log in to a large number of different resources and enter a lot of different usernames / passwords ... Well, what if!
You can, of course, use fingerprints, USB tokens, one-time passwords, -NFC-tags, but for all this you need * server modification * or client hardware modifications, etc. In the case of reading the QR-code, it directly gets into the server's input fields all the same username and password. The camera and the modern browser are on most modern laptops / tablets / PCs.
What else?
Where it can be used:
- There are many applications that store passwords in a database protected by a master password. It's great, but these applications show you the password as text and you need to type it in with your hands. You can display the saved password as a QR code.
- QR code can be laid out with black pearls on a platinum plate; print on a piece of paper / plastic / and attach it as a stylish key chain / bundle of key rings
- QR-code can be generated when registering somewhere, and your application-password manager considers it and saves
- you can generate quite complex one-time passwords and encode them into QR. For example, for the same two-factor authorization
Demo
Since not very strong in javascript, then to test the concept, I pulled the scripts that perform the task of reading the code from the camera from webqr.com (thanks to them) and slightly modified them. You can see here .
Security
Undisputed and the main advantage of classic passwords - they are stored in the head and are typed by hand. The main danger of the method described above is that your QR codes have become available to the attacker. But if you, like my dad, store all the passwords in the file “My passwords.doc” on the desktop, then the qr-codes even over> zhna-not read their eyes.
Everything
Thanks for attention. I look forward to critical comments pointing to the fatal flaws of the method. Or admiring exclamations - “How could I not think of it myself!”?
Source: https://habr.com/ru/post/207358/
All Articles