If you want to know what the future holds for authentication on the web, it all depends whom you ask. Some say it’ll come in the form of biometrics – iris and fingerprint scans, etc. Others say the answer lies in a tangle of constantly changing two-factor verification codes users need to punch in.
According to Verizon this week, QR codes need a mention as well. The company announced Tuesday it will soon begin using the chunky black-and-white barcodes that users can scan with their smartphones to facilitate logins for programs in its Universal Identity Services portfolio.
Verizon’s Chief Identity Strategist Tracy Hulver acknowledged on Tuesday that the move should reduce fraud, phishing attacks and “even reduce unnecessary expenses associated with help desk support and password resets.”
According to Verizon’s own 2014 Data Breach Investigations Report (DBIR), stolen credentials were a serious threat. 422 incidents the company recorded stemmed from the use of a stolen password, “ahead of data exfiltration, RAM scraper malware, backdoors and even phishing attacks.”
To use the new QR code functionality, users will have to enroll for a Verizon Universal ID, and then download an app that will scan a “dynamically generated QR code” on the login page to be authenticated to sites that use them.
According to the company, the code can be scanned on the go, as is, or combined with a PIN or password for transactions, like banking, that may require a higher degree of security.
Verizon’s Universal Identity Services is a suite of security programs that help end-users monitor security, dispense user logins and passwords via the cloud. Users can authenticate themselves with OATH hardware and software tokens, PIN numbers, passwords, one-time passwords, so on and so forth.
If users on services running Verizon’s infrastructure don’t want to rely on QR codes, they can opt for one-time passwords, in the vein of two-factor authentication, that users can use to get access.
The company will roll out the QR code feature soon for all UIS customers, employees and business partners.
QR codes have been touted as the next big thing – at least in marketing circles - for years now, but they’ve never seemed to have taken off among the security crowd.
In 2011, when the technology was in its relative infancy, hackers found a way to obfuscate the codes and trick users into clicking through to an Android-based Trojan. Similar to how users are never 100 percent sure of where they’re being directed when they click on shortened links, users couldn’t see past the QR codes’ blocky barcode to see the malicious destination.
Last year Google was forced to patch its Glass product when researchers discovered that the glasses automatically read and reacted to QR Codes present in photographs. This could’ve forced the specs to connect to a “hostile” WiFi access point, along with other seedy web addresses.