Scan QR to Login

[bredy]

https://qrlogin.novacisko.cz/img/qrlogofb.png

QRlogin:

The brand new way to identify the user. The user have to simply scan QR code by his smart-phone and after a few seconds he is identified. This system can replace traditional username+password identification. It is also more secure, than password. Very fast for tablets or devices without a physical keyword (tablet+phone)

https://qrlogin.novacisko.cz

Main features

 * Secure way to identify the user
 * Built on Bitcoin cryptographic libraries. The identity is actually a bitcoin address
 * The private key is stored in the handheld device, never leaves the device unless the user requests.
 * Each site have separate identity and the private key
 * Easy to use: The user just scan the QR code using the ordinary QR scanner
 * No special application needed: Just QR scanner and standard browser
 * It should work on all platforms (Android+iOS+Win)
 * It uses OAuth 2.0 protocol. It should be easy to integrate QRlogin to any internet site that already integrates Google/Facebook login
 * Project is complete open-source hosted on github: https://github.com/ondra-novak/qrlogin
 * Because there is no extra application needed, every site can have its own server built from the sources. Users still using their QR scanner regardless on where is (on which URL) is authorization service located. Keys of each service are isolated from others inside of the handheld device (it is generic feature of localstorage of the browser)
 * The user can backup and restore his keys. Keys can be also transfered from one device to another without participation of the server (scanning the QR code)

Please leave any criticism or ideas below.

[Skunk Fu]

https://qrlogin.novacisko.cz/img/qrlogofb.png

QRlogin:

The brand new way to identify the user. The user have to simply scan QR code by his smart-phone and after a few seconds he is identified. This system can replace traditional username+password identification. It is also more secure, than password. Very fast for tablets or devices without a physical keyword (tablet+phone)

https://qrlogin.novacisko.cz

Main features

 * Secure way to identify the user
 * Built on Bitcoin cryptographic libraries. The identity is actually a bitcoin address
 * The private key is stored in the handheld device, never leaves the device unless the user requests.
 * Each site have separate identity and the private key
 * Easy to use: The user just scan the QR code using the ordinary QR scanner
 * No special application needed: Just QR scanner and standard browser
 * It should work on all platforms (Android+iOS+Win)
 * It uses OAuth 2.0 protocol. It should be easy to integrate QRlogin to any internet site that already integrates Google/Facebook login
 * Project is complete open-source hosted on github: https://github.com/ondra-novak/qrlogin
 * Because there is no extra application needed, every site can have its own server built from the sources. Users still using their QR scanner regardless on where is (on which URL) is authorization service located. Keys of each service are isolated from others inside of the handheld device (it is generic feature of localstorage of the browser)
 * The user can backup and restore his keys. Keys can be also transfered from one device to another without participation of the server (scanning the QR code)

Please leave any criticism or ideas below.

Sorry, I don't understand how this works.

You go to login page,
Click on login with QR,
A QR appears on your monitor,
You scan it with you phone....

How does it confirm with the server?

[NyeFe]

Clef would more attractive for business applications https://getclef.com same method, thought with 62+ thousand organisations using it with their users

[PremiumCodeX]

Useful code and thank you for sharing it us! Since anyone can read its source code, actually I have only one question about the project. Although I haven't fully explored your whole project yet, I wonder how is it better than the other similar projects out there?

Clef would more attractive for business applications https://getclef.com same method, thought with 62+ thousand organisations using it with their users

I can recommend the same, though. An organisation I was into was using Clef and users were satisfied with it.

[Kprawn]

This is not criticism, I would rather ask some questions to get clarity on the whole concept.

1. What stops other people to use your QR Code? { Or is this randomly created everytime you login? }
2. Do you retrieve a single QR Code from a central online server to enable you to login. {External site?}
3. Is this for login into web sites on the internet, or for a alternative authentication for your notebook etc...
4. How is this protected? {Malware / Trojan Horse} The QR code send, could be intercepted by a hacker. {spoofed}

It's a viable option for lazy people, if it can be secured, but I would not trust a external 3rd party to have access to all my QR codes for every site I access.

Or is this a App running on each site, that generate a QR code as a alternative to the conventional username and password?

[MrDjAK]

Look nice

[btchip]

Clef would more attractive for business applications https://getclef.com same method, thought with 62+ thousand organisations using it with their users

People concerned about security should stay the hell away from proprietary solutions, especially in Bitcoin space.

[PremiumCodeX]

This is not criticism, I would rather ask some questions to get clarity on the whole concept.

1. What stops other people to use your QR Code? { Or is this randomly created everytime you login? }
2. Do you retrieve a single QR Code from a central online server to enable you to login. {External site?}
3. Is this for login into web sites on the internet, or for a alternative authentication for your notebook etc...
4. How is this protected? {Malware / Trojan Horse} The QR code send, could be intercepted by a hacker. {spoofed}

It's a viable option for lazy people, if it can be secured, but I would not trust a external 3rd party to have access to all my QR codes for every site I access.

Or is this a App running on each site, that generate a QR code as a alternative to the conventional username and password?

I am interested in the same summary as well and in addition how is my question about why is it better / other than other similar projects?

Clef would more attractive for business applications https://getclef.com same method, thought with 62+ thousand organisations using it with their users

People concerned about security should stay the hell away from proprietary solutions, especially in Bitcoin space.

Even though the organisation I said did not experience problems used Clef, the same general wisdom you said was one of the reason it has switched to another solution.

[bredy]

https://youtu.be/GoSdT2UoCl4

[bredy]

This is not criticism, I would rather ask some questions to get clarity on the whole concept.

1. What stops other people to use your QR Code? { Or is this randomly created everytime you login? }
2. Do you retrieve a single QR Code from a central online server to enable you to login. {External site?}
3. Is this for login into web sites on the internet, or for a alternative authentication for your notebook etc...
4. How is this protected? {Malware / Trojan Horse} The QR code send, could be intercepted by a hacker. {spoofed}

It's a viable option for lazy people, if it can be secured, but I would not trust a external 3rd party to have access to all my QR codes for every site I access.

Or is this a App running on each site, that generate a QR code as a alternative to the conventional username and password?

1. QR codes are random for every login. QR code contains "challenge". There is an private key in your device (a smartphone) stored. The private key is generated (randomly) at the first time you use the QR Login for particular site. Every site has different key.

2. The QR code (challenge) is generated by javascript using secure random number generator
3. It is for login into the web sites, similar service as OpenID, Facebook login, Google login, etc.
4. There is a private key and the corresponding public key. The private key is stored in your device and should never leave it (unless you explicitly want). The application (downloaded from the qrlogin site as html+js) uses the private key to sign challenge. Then the signature is transfered to the "auth" site an then through the redirect to the service provider. The service provider can calculate the public key from the signature or it can use standard OAuth 2.0 token exchange to retrieve the public key (Public key is then transformed to the bitcoin address, which can be used as an unique user's ID). The service provider can use both ways to receive the public key to ensure, that signer posses the correct private key.

You can object, that qrlogin site is in my possession, so I can modify it to track and store all private keys for evil purposes. But you still have the option to run own site, because source code of qrlogin is open source under the MIT licence hosted on the GitHub. See the link above (in OP).

[s2]

Excellent work and great sharing it up.  I was thinking about writing something like this before as I'm on a mission to never use passwords since people never remember them or use unsafe ones anyhow.

[Jeremycoin]

I have a question, how if someone lost his phone? Is there any other way to restore the QR Login for reuse.

[bredy]

I have a question, how if someone lost his phone? Is there any other way to restore the QR Login for reuse.

Recently "backup" feature has been introduced  (in v1.1).

https://youtu.be/x3AOj-iXQzY (backup)
https://youtu.be/UdKR2dzhbRw (restore)

You can turn on subtitles for translation of the labels. The current version already has labels translated.



In the development branch, there is already prepared a feature "print key" that will allow you to print your key as QR code (like a paper wallet) using the printer connected to  your personal computer (no cable needed, just internet, browser and QR scanner). The key is always transferred in encrypted form using 8000 cycles of HMAC-SHA256 of your password and AES. You don't need to remember the password, it can be written at the paper with the printed QR code (by hand) and the paper hidden in a safe place. Encryption is added to protect the key during the transfer.

The print key feature is targeted to next release (v1.2) - it will be release very soon.

[bredy]

Site https://qrlogin.novacisko.cz updated (if you see old version, try Shift+Reload, or Ctrl+R)

Visible changes are on auth page.

You can now print key as QR code. Go to manage keys, choose backup key. After backup is ready, a pop-up will appear where you can choose print or save the key.

[bredy]

For testing on a real example, please visit and register on http://forum.novacisko.cz. There is a fresh phpBB forum installed for testing. After registration, you will be able to link your phone with a phpbb account. Note that phpbb cannot link more then one device with the account. This is not QRlogin issue.