Passwordless/QR code login


(Soni L) #1

If a device has a screen, and another device has a camera, it should be trivial to login using a QR code between the two.

This avoids the use of passwords, and could even allow passwords to be disabled completely! You can’t breach/leak something that doesn’t exist!

(Alternatively, client-cert-wrapped public key authentication, similar to SSH, would also be nice. This way, the key is derived client-side and no password or private key or other secret is ever sent to the server. It’s also 100% MITM proof, unlike the QR codes. Might be a while until HTTPS clients start adding support for this, tho…)


(Jeff Atwood) #2

Can you cite any large public website which behaves in the manner you describe?


(Soni L) #3

Yes, WhatsApp Web has been doing this since forever. (at least the QR code bits)


(Jay Pfaffman) #4

So you log in to the web interface with a password and then log the phone in via the web interface?


(Jeff Atwood) #5

Maybe you could show us some screenshots of how it works?


(boredomdenied) #6

I first saw this with Airdroid. That’s a local network interaction though. I guess in theory this could work out much the same. The server authenticates a user on PC, generates a temporary QR the same as a temp password, and then the phone app uses the camera sensor to detect the QR code on your desktop screen and that authenticates it in.

As for that being “trivial” :thinking: I’m not so sure about that. I think this would be much better suited for a native app but in theory this is doable today with web api https://whatwebcando.today/

A quick search for “ruby qr” does show gems which do decode and encode. You’re basically just generating the temp password, encoding, sending the image to PC, using web api to operate camera sensor, find the qr object and save it, decode it back to temp password, auth in.


(Soni L) #7

There are web APIs for camera and generating QR codes is easy.

Public computers generally have cameras, too. Would be nice to login on those using a logged-in phone. Mostly because they have real keyboards while phones don’t, and it’s a lot easier to type a long post on a real keyboard.

(Logging out is trivial on discourse)


(boredomdenied) #8

If you believe this is all trivial, you should go ahead and create it yourself :+1: what’s stopping you?


#9

Google Messages / Messages for Web uses QR codes so you can send and receive messages from your web browser:
https://messages.android.com/

The process is simple but is explained in more detail here:
https://support.google.com/messages/answer/7611075

I’ve found this use to be particularly helpful checking messages when my phone is elsewhere (if I enabled it beforehand) and when sending messages to groups when I have lists that aren’t on my phone.

P.S. Screenshots

A. Google Messages screenshots on Android phone:

1. Menu | select “Messages for Web”

2. Get ready to scan QR code. Note that it shows signed-in computer:

B. Edge web browser screenshots:

3. Unconnected

Unconnected

4. Connected after QR code is scanned

Connected


(Bhanu Sharma) #10

While it works well for many real time messaging apps, I think it imposes a potential security risk in case of someone forgetting a logged in session or someone with access to phone leaving a session in their browser for a later usage with wrong intent.

I think a first log in is required on any platform where a user signs in and then we can maybe implement the facebook approach of keeping a quick login (passwordless) link on user’s personal devices (something like a check box that asks if user wants a quick login at this device) which can be additionally protected either by 2FA or a Login Pin.


(Bas van Leeuwen) #11

What could work is to modify the Log in with Email function, to also include the secret URL in a QR code which can then be scanned on the phone (but yeah, in that case, just open the email on your phone I guess)


(Héctor Fernández) #12

That would work. But then, why not just send a notification that would appear directly in Discourse?


(Soni L) #13

Don’t do a Tumblr. It’s even less secure than QR codes.


(Bas van Leeuwen) #14

I honestly don’t know what this means :slight_smile:

Instead of focusing on the HOW question, can we focus on the WHY? What is the usecase for this functionality? What users does this help?


(Soni L) #15

This helps users who don’t wanna use passwords and would rather you didn’t send them a login link over email because that’s just ridiculously insecure.


(David Taylor) #16

I think you need to explain this… pretty much any online web service allows resetting your password using a link sent by email. How is a login link any less secure than a password reset link?


(Bhanu Sharma) #17

Plus the fact that services like Slack have adopted the practice of sending disposable (magic) login links since a long time. I don’t see a reason as to why sending a link to mailbox will be considered “insecure” unless one is absolutely ridiculous and running some ancient age insecure mail server.


(Jeremy M) #18

Passwordless (magic login links is another term) is a great idea, but using a QR code just really breaks down the process and makes things a lot more difficult. Would be better to use a 2FA/MFA process instead, but at the very least passwordless/magic link is the way to go.

@Soni you seem to be convoluting different processes like Whatsapp uses to bridge a gap between a mobile-only service and a viewport on desktop. That really wouldn’t fit into this use case / flow here in a forum. You’re more thinking of a 2fa solution where you use a mobile device with an app like Google Authenticator or Auth0 Guardian or Authy to verify the login process that you initiate on a forum/app.


(Héctor Fernández) #19

I don’t want to speak for @Soni but I think I understand the use case, and it’s not related to 2fa in any way. It’s really like WhatsApp. Lets say you are always logged in your phone, but sometimes you like to quickly log in into some computer to more confortably post some messages. In that case you don’t want to remember a username and password. So you scan a QR code to log in. As an alternative to the QR code, you enter your e-mail in the browser and you receive the link in your phone, but clicking this link logs you in the computer. I’m not saying it’s feasible or secure, just trying to explain the idea.


(Jose C Gomez) #20

This is kinda what you are asking for. Protocol is written just need to be implemented
https://www.grc.com/sqrl/sqrl.htm