QR Code-based Identification with Mobile Devices

Mobile devices are becoming ubiquitous, getting rise to a pervasive network through which people can share information and get also very complex services. A key factor for the security of both consumers and providers in this emerging business scenario is the ability for a user or a service to reliably and efficiently authenticate itself. In this paper, we consider a unidirectional visual channel of interaction between the user and the service. Identification indeed takes place by using a QR Code symbol which is displayed or scanned by the mobile device of the user in the proximity of an access point for the service. We consider protocols for strong authentication which, if correctly implemented, does not reveal any useful information both to the verifier and to any unauthorized observer (zero-knowledge protocols). Our experimental results show the feasibility of our approach for a wide range of mass-market devices and applications, including physical access to restricted or pay-per-use areas (military or parking zones, etc.), logical access to resources or services (e.g., ATMs, computer systems and Internet services), and privacy-aware voting and testing centers.