Compare QR code login via native apps and passkeys for secure, convenient authentication. Discover the best method for your organization.
Vincent
Created: August 27, 2024
Updated: December 9, 2024
Our mission is to make the Internet a safer place, and the new login standard passkeys provides a superior solution to achieve that. That's why we want to keep you up to date on the latest developments in the industry.
Secure and convenient authentication methods are more crucial than ever. With the increasing number of online services we access daily on different devices, traditional password-based systems are becoming less effective and more cumbersome. Especially for companies with a large number of users on their native apps (iOS or Android Apps) this has led to increasing demand for QR code-based logins, which offer a quick and easy way to authenticate users without the need for typing in complex passwords or even usernames.
In this context, questions like the following emerge:
Native QR Code Revolut Passkeys QR Code Apple
Prominent examples for QR codes in native app logins are app-first services like WhatsApp, TikTok or Revolut. At the same time, there is a fast growing list of companies supporting passkey logins.
In this article, we will explore QR code-based authentication techniques. We will not focus on TOTP QR codes used for second factor initialization (with additional apps like Authy or Google Authenticator).
We will also compare different QR based authentication methods, examining their strengths, weaknesses, and potential vulnerabilities.
By the end, you'll have a clearer understanding of whether QR code-based authentication is the right choice for your security needs.
Recent Articles
QR codes, or Quick Response codes, are two-dimensional barcodes that can store a variety of information, ranging from URLs to plain text. Originally developed in 1994 by Denso Wave, a subsidiary of the Toyota Group, QR codes were designed to track automotive parts quickly and efficiently. Since then, QR codes have evolved and found their place in various industries due to their ability to store a large amount of data in a small, scannable square.
The term "QR Code" is actually a trademark of Denso Wave, although the technology itself has become widely adopted and is not restricted by the trademark. QR codes are characterized by their black and white square patterns, which can be scanned using a smartphone or dedicated scanning device to access the encoded information.
Support for QR codes has been integrated into mobile operating systems such as iOS and Android for several years. Both platforms natively support QR code scanning through their respective camera apps, making it easier for users to interact with QR codes without the need for additional software.
Subscribe to our Passkeys Substack for the latest news, insights and strategies.
SubscribeGenerally, QR codes used in conjunction with apps leverage custom URLs or app links. These links can trigger the app to open automatically if it is installed on the device. If the app is not installed, the QR code can direct the user to the relevant app store to download and install the app, thus facilitating a smooth user experience. Here you can see a list of paths that Revolut has registered for App Handling:
As you can see all links containing starting with “"/app/*" are handled you will see an example in the next section. By embedding custom URLs and app links within QR codes, businesses and developers can create tailored experiences that lead users directly to the desired app or service, enhancing both convenience and security in user interactions.
QR code login via native apps leverages the seamless interaction between a mobile device's camera and specific URLs embedded within QR codes. The process typically begins with a user scanning a QR code displayed on a website or another device using the camera of their smartphone. The QR code contains a custom URL that is specifically designed to interact with a particular native app, such as those found on iOS or Android devices.
For example, a service like Revolut might use a QR code with a URL such as https://revolut.com/app/challenges/qr/e2d78521-d38a-4773-b1b8-27a902a36b4b. This URL is bound to be recognized by the Revolut app installed on the user’s device.
When the QR code is scanned, the app automatically catches this link, recognizes it and displays the corresponding app (in this example above see “Revolut” being identified as the matching App), and proceeds to handle the login process internally. This interaction is facilitated by deep linking mechanisms that both iOS and Android support, which allow specific links to open directly within an installed app rather than in a web browser:
If the app is not installed on the device, the operating system typically prompts the user to install the app by redirecting them to the appropriate app store, whether it be the Apple App Store for iOS devices or the Google Play Store for Android devices.
This ensures that even if the user does not have the app installed initially, they can quickly and easily obtain it, continuing the process after installation.
In most cases, existing customers who have already installed the app will experience a smooth login process. They scan the QR code, the app opens automatically, and the authentication is completed without the need to enter a username or password. This method provides primarily convenience for users, as no sensitive information is transmitted during the QR code scanning process.
What happens technically is that an existing logged-in session on a mobile phone is used to authenticate a new session on the desktop. There are different techniques for doing that. A very elaborated version is published in the WhatsApp Security Whitepaper under Client Registration Ă Companion Device Registration Ă Link Using QR-Code.
Taken from https://engineering.fb.com/2021/07/14/security/whatsapp-multi-device/
As WhatsApp supports multi device access and end to end encryption since 2021 the architecture is not perfectly suited for authentication – as the protocol is primarily designed for a multi device messaging application. There are simpler approaches to achieve a secure handshake, depending on the actual authentication implementation. What needs to be kept in mind is that you always need to ensure secure handling of user sessions and the communication channels between the device and the server. Regardless of the complexity of the QR code authentication login implementation, some key security principles should always be followed:
By following these best practices, companies can implement QR code-based authentication that is both user-friendly and secure, leveraging the convenience of mobile devices while maintaining robust security measures to protect user data and sessions.
Become part of our Passkeys Community for updates and support.
JoinNow let’s take a look on QR code logins via passkeys.
Passkey-based authentication offers a secure, cross-device authentication system that is integrated into the iOS and Android ecosystems and is specified in the WebAuthn standard. Currently, only passkeys created on iOS or Android can be used for cross-device authentication (CDA) via QR codes.
Let’s analyze how the QR code login with passkeys work. The following chart shows a high-level overview of the different steps.
For both iOS and Android, passkeys are stored within the platform's native authenticator (e.g. Face ID, Touch ID or Android Biometrics). This ensures that a user’s passkeys are available across all their devices logged into the same Apple ID (for iOS) or Google account (for Android) on modern operating system versions.
Discuss passkeys news and questions in r/passkey.
Join SubredditWhen implementing passkey-based Cross-Device Authentication (CDA), it's crucial to provide clear guidance to users on the process. Users should be informed that a QR code will be displayed and that they need to use their mobile phone to scan it.
In our opinion, it is important to ensure that QR codes are not shown if the user does not have a passkey that can be utilized for CDA. Additionally, it's necessary to verify that the user's current operating system and browser supports CDA before displaying a QR code.
Want to find out how many people can use passkeys?
View Adoption DataTo manage these scenarios effectively, we have outlined all the critical cases in this article, so we won’t go into details here. Our passkey intelligence system is designed to automatically handle these situations, ensuring that QR codes are only displayed when appropriate and guiding users smoothly through the authentication process. This ensures a seamless experience while maintaining high security and compatibility across various devices and operating systems.
In this section, we will summarize the two primary QR code-based login methods discussed in this article: QR code login via native apps and QR code login via passkeys. Each method offers unique advantages and is suited for different use cases based on factors such as security, user experience, and implementation complexity.
Let’s see how both methods compare and have different characteristics:
Comparison Table: QR Code Login via Native Apps vs. QR Code Login via Passkeys
Characteristic | QR Code Login via Native Apps | QR Code Login via Passkeys |
---|---|---|
App Requirement | Yes, requires native app | No |
Passkey rollout required | No, independent | Yes, users need to opt-in to passkeys |
Implementation Effort | High | High |
Phishing Resistance MFA | No | Yes (phishing resistant & MFA) |
Proximity Check | No | Yes |
User Experience | Seamless if app is installed | Seamless if passkey exists |
Security Level | Medium | Very High |
We have focused on authentication-based characteristics in the comparison table, and the surrounding requirements outlined in section three apply to both alternatives. Location-based and time-based restrictions are not needed with passkeys, as they employ phishing resistance and proximity checks via WebAuthn.
Want to try passkeys yourself? Check our Passkeys Demo.
Try PasskeysAs outlined in the introduction, we have taken a look into the two most common scenarios of cross-device-authentication, lets shortly summarize them:
To answer our questions from the introduction:
Regardless of the current evaluation of which solution fits into the existing authentication architecture, it should be kept in mind that passkeys are an investment in the future of authentication, as the ecosystem is clearly moving in this direction. Starting early to collect passkeys can be combined with different CDA strategies.
Table of Contents
Enjoyed this read?
🤝 Join our Passkeys Community
Share passkeys implementation tips and get support to free the world from passwords.
🚀 Subscribe to Substack
Get the latest news, strategies, and insights about passkeys sent straight to your inbox.
We provide UI components, SDKs and guides to help you add passkeys to your app in <1 hour
Start for free