Verizon Bolsters User Authentication With QR Codes

Verizon announced Tuesday it will soon begin using QR codes to allow users to log in to sites and programs in its Universal Identity Services portfolio.

If you want to know what the future holds for authentication on the web, it all depends whom you ask. Some say it’ll come in the form of biometrics – iris and fingerprint scans, etc. Others say the answer lies in a tangle of constantly changing two-factor verification codes users need to punch in.

According to Verizon this week, QR codes need a mention as well. The company announced Tuesday it will soon begin using the chunky black-and-white barcodes that users can scan with their smartphones to facilitate logins for programs in its Universal Identity Services portfolio.

Verizon’s Chief Identity Strategist Tracy Hulver acknowledged on Tuesday that the move should reduce fraud, phishing attacks and “even reduce unnecessary expenses associated with help desk support and password resets.”

According to Verizon’s own 2014 Data Breach Investigations Report (DBIR), stolen credentials were a serious threat. 422 incidents the company recorded stemmed from the use of a stolen password, “ahead of data exfiltration, RAM scraper malware, backdoors and even phishing attacks.”

To use the new QR code functionality, users will have to enroll for a Verizon Universal ID, and then download an app that will scan a “dynamically generated QR code” on the login page to be authenticated to sites that use them.

According to the company, the code can be scanned on the go, as is, or combined with a PIN or password for transactions, like banking, that may require a higher degree of security.

Verizon’s Universal Identity Services is a suite of security programs that help end-users monitor security, dispense user logins and passwords via the cloud. Users can authenticate themselves with OATH hardware and software tokens, PIN numbers, passwords, one-time passwords, so on and so forth.

If users on services running Verizon’s infrastructure don’t want to rely on QR codes, they can opt for one-time passwords, in the vein of two-factor authentication, that users can use to get access.

The company will roll out the QR code feature soon for all UIS customers, employees and business partners.

QR codes have been touted as the next big thing – at least in marketing circles – for years now, but they’ve never seemed to have taken off among the security crowd.

In 2011, when the technology was in its relative infancy, hackers found a way to obfuscate the codes and trick users into clicking through to an Android-based Trojan. Similar to how users are never 100 percent sure of where they’re being directed when they click on shortened links, users couldn’t see past the QR codes’ blocky barcode to see the malicious destination.

Last year Google was forced to patch its Glass product when researchers discovered that the glasses automatically read and reacted to QR Codes present in photographs. This could’ve forced the specs to connect to a “hostile” WiFi access point, along with other seedy web addresses.

Suggested articles


  • maxCohen on

    Like I'm ever going to trust Verizon with anything. I'll stick with SQRL.
  • Hitoshi Anatomi on

    The concept of authentication by possession of something (tokens or phones) leads me to imagine an ATM that will dispense all my money to whoever holds my bank card. Should the something or bank card be protected by PIN/password, it is an expanded use of the PIN/password, not an alternative to the PIN/password. 2 is larger than 1 on paper, but in the real world two weak boys may well be far weaker than one toughened guy. Physical tokens and phones are easily lost or stolen. It should be strongly emphasized that a truly reliable 2-factor solution requires the use of the most reliable password. ID federations (single-sign-on services and password managers) create a single point of failure, not unlike putting all the eggs in a basket. It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. It could be considered mainly for low-security accounts, not for high-security business. Needless to say, the strength of the master-password is crucially important. At the root of the password problem is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.