Verizon eyes QR codes as authentication option

Verizon eyes QR codes as authentication option

Summary: Can the QR code replace user names and passwords? Verizon Enterprise thinks so -- at least for some companies looking at two-factor authentication.

TOPICS: Security, CXO, Verizon

Verizon Enterprise on Tuesday is launching QR codes as a two-factor authentication option in its universal identity service. What's unclear is how many companies will see the handy QR code as a way to help eradicate user names and passwords.

The telecom giant developed a QR code login that would allow a customer or employee to scan a QR code on a website with their smartphone without a user name or password. User names and passwords are a major security issue since few people use two-factor authentication and most passwords are reused across multiple sites. The QR code would get people into accounts without passwords.

Here's how it works:

  • Customers could enroll for a Verizon Universal ID from a web page. 
  • After registering, the customer would download an app that would scan a dynamically generated QR code on a login page. 
  • Once a user scanned the code and Verizon confirmed the identity, he would be authenticated.



Tracy Hulver, chief identity strategist for Verizon, noted that QR codes could be used as a sole way into a site or app or combined with a PIN code. At an ATM, a user could scan a QR code to tap funds instead of entering a PIN and risking a skimmer. Hulver said enterprises have been interested in QR codes as a way to ditch passwords, but are also looking at other options. 

"A QR code is an option, but not the only one," said Hulver, who added that a QR code can be easy to use.

Should Verizon customers start using QR codes, one interesting aspect of this form of two-factor authentication would be ease of use. For instance, I scan QR codes, but infrequently. The extra click and opening of an app means I have to be motivated to get the information.

Meanwhile, the QR code setup means you have to have your phone with you at all times. Most of us always have a phone, but an online retailer could see a QR code as one more friction point in the buying process.


Topics: Security, CXO, Verizon

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It'll Never Fly...

    It may have merit but Verizon is the wrong company. Google, maybe. Apple, maybe. Verizon? I just don't see it happening.
  • It'll Never Fly...

    It may have merit but Verizon is the wrong company. Google, maybe. Apple, maybe. Verizon? I just don't see it happening.
  • two-part?

    So I go online and want to log in. I scan the QR with my phone (that's assuming that I actually have a smartphone (if I don't then tough luck retailer) and I have the application (if I don't then tough luck retailer), and Verizon confirms the owner of the phone on to the owner of the site I'm trying to log in to.

    All that does is say that my phone has been used to gain access - not that I have used my phone to gain access. This doesn't sound a lot more secure than having a password scribbled down on the back of a business card!
    • Agreed - just who is this providing security for?

      QR codes are useless to the end user because you can't easily tell if a displayed QR code is legitimate or fake. This may protect the website owner by helping to authenticate the cellphone, but then the protections are only evident to the owner beginning at that point. This does nothing to verify the website legitimacy to the user, and in some ways makes it more difficult to do so. As long as the limitations of a QR code's benefits are understood, I guess it's small progress.
      • Hello ejhonda

        The QR codes are not generated by the website owner. They are generated by Verizon and the code scanned must match the code generated during the authentication event. When a person signs up for the service and downloads the application Verizon will “identity proof” the user to ensure that they are, in fact, who they say they are, and then bind the device (smartphone, tablet, etc.) to the individual. When that individual subsequently uses the service on a website, the website owner makes a transnational request to Verizon to generate the code, which is then displayed on the site. When the user scans the code Verizon (not the website owner) checks the scanned code against the one that was generated and validates the phone pairing to the person that owns the account with the website owner, without the need for a username or password.

        Peter Graham, Verizon Universal Identity Services
        Twitter @VerizonPeter
    • Hello LeMike

      If an individual does not have a smartphone, or the Verizon application, the online business can still offer the traditional method of logging into their sites. The difficulty with user names and passwords is that they are easily stolen and can be reused from anywhere, by anyone. So, if your username/password combination is stolen by a group in another country, they can be used to authenticate as you from anywhere in the world. Additionally, most people use either the same username/password combination or something very similar and easily guessed, meaning that if one account is compromised, all of your accounts are compromised. Lastly, it is very difficult to know if your specific username/password has been stolen in any particular breach. On the other hand, most of us will know within a few minutes if our smart phone is stolen and, even if it is, you can (and should) password protect your phone making it unusable to the thief, this then becomes the only password you need to remember…and it's highly unlikely that cyber criminals will launch a major campaign to steal our smartphones.

      Peter Graham, Verizon Universal Identity Services
      Twitter @VerizonPeter
  • Is the convenience only for the users?

    If my understanding is not wrong, whoever holds the app-installed phone in their hands can make the login on behalf of the legitimate user.

    The concept of authentication by possession of something (token or phone) leads me to imagine an ATM that will dispense all my money to whoever holds my bank card. Should the something or bank card be protected by PIN/password, it is an expanded use of the PIN/password, not an alternative to the PIN/password.
  • For authenticating the retail web site to the user,

    QR codes are less secure than the picture method used by J C Penney and others who use the same bank to process their cards. When you sign up for online access, you choose one of a half dozen pictures, such as pink phone, set of weights, flower, etc. When you log in to their web site, you enter the user id first. On the next page, asking for your password, they display the exact picture you specified at sign up, and warn you not to complete the login if the picture does not match. The human brain can recognize that a picture matches what was seen at sign up, so nothing has to be written down. A spoof web site would not know in advance which picture to display, and it would be difficult to make that picture look exactly the same.

    In the other direction, as has been mentioned, the QR code by itself is not secure. Anyone who finds or steals the phone has access online, and at an ATM, to all of that customer's accounts. And the customer who loses the phone has no way to log in to lock the account. For that matter, a customer in a poor signal area (or in a foreign country where he or she chose not to pay roaming charges, and has thus left the phone in the hotel room safe) has no way to buy or get cash.