Picture the scene: It’s Monday morning, you’ve arrived to the office, brand new MacBook Air is waiting for you on your desk - the amazing product you’ve been working on flat-out for the last 4 months has just been approved by the client and your boss, being generous enough decided to reward you for all your overtime and working weekends during this period by buying you one of those shiny, sleek machines…

…but, that sounds rather unlikely, let’s go back to reality; It’s Monday morning, your head is quite painful after last night’s party that finished at 5am, and your desktop computer died on Friday afternoon, while you were trying to do as much as possible, before the deadline that has been already moved twice. Bummer.

The broken computer has been replaced by your manager’s private laptop, that by all chance has thousands of suspicious apps, keyloggers and it’s running Vista. Ugh… Now, how do you log into your mailbox or your company’s web app without risking that all your passwords will be stolen and your accounts compromised?

Here comes the QR-logging-in idea:

The said web app is displaying QR code on the login screen, right next to regular username/password login form. You’re taking out your phone, snapping a photo with any QR reader app for your iPhone/Android device and in less than 5 seconds you’re logged into the web app on the computer. No passwords, no hassle. And you didn’t even have to touch the keyboard! After that you can log into another app. And another one. And another…

Do you like this idea? Yeah, me too.

So, how to achieve that?

(you can see a quick proof of concept here and source code here)

The main goal was to avoid typing in anything and let users log in from any machine, even the one they haven’t used before, having only their phone within easy reach.

For the purposes of this post I’m assuming that the phone has built-in camera, installed QR reader app, a browser capable of saving cookies and some internet connection (wifi/3g/gprs/whatever). That fits most iPhone/Android/Windows Phone/Blackberry users out there.

As previously mentioned, the web app is showing QR code. The code contains address to the central server + unique identifier of the token that has been assigned by server to the session on the desktop computer. After scanning the code, the phone is opening a page that checks if it has been used with this service before by looking for a cookie containing encrypted information about the user’s credentials (hash of username/user id). The hash is being checked against server’s database and if it’s valid - token in database is being updated with information that the access is granted to user X. Phone shows information that the user has logged to site XYZ. Browser on desktop is constantly checking status of the token and once it says that the user has “logged in” - it’s redirecting to secure part of website. Job done!

What happens if you want to use your phone for the first time?

If the phone is not paired with any user account - the desktop computer will show regular log in form, so it would be good idea to log in first time from machine that you trust. After filling out the log-in form - user can log in automatically, as described above. Want to make it safer (but less convenient) ? Log in form for first time users could be displayed on the phone instead.

This idea could probably work much better than OpenID/BrowserID. Multiple websites could use one centralised system, that would allow user to pair his/her phone once and use it everywhere, without typing anything anywhere. No more typos, no more forgotten username/passwords.

All that said, I believe that QR-logging-in should be an additional way to log into the system, not the only available, because not every user has capable enough phone, also the phone could be lost, discharged etc.

I’d love to hear what you think about this idea, and don’t forget to check out the demo (and source code)!

The post is on Hacker News and found its way to Reddit, if you like it, then bump it up and join discussion:

Hacker News link

Reddit link

Update:

Few people mentioned that the phone could be stolen - if that happens, user could go to a website, log in using regular username/password form and unpair his/her phone with one click.

If you read this far, you should follow me on Twitter.