

Django-qrauth: QR codes for instantly signing in to a website - aruseni
https://github.com/aruseni/django-qrauth/
django-qrauth allows you to easily spice up your website with instant user authentication: once a user has signed in on their Mac or PC, they can pick up their smartphone (or tablet, iPod, etc: actually, anything that has Internet access, a camera and a QR code scanning application should work), scan a QR code (which appears on the display after the user clicks the corresponding link) and immediately sign in on their smartphone or other mobile device they use (so they don’t have to enter the site address, nor their login/email, nor password).
======
joelhaasnoot
Good idea, but needs to be abstracted not to require Redis, but use Django's
database backends.

~~~
JosephRedfern
Agreed. It seems really un-necessary - Redis for the sake of Redis.

~~~
jonknee
It was probably abstracted from a project that used Redis so it's Redis for
the sake of meeting the requirements.

~~~
aruseni
Yup. That is how it was. Of course, if someone will add this and send me a
pull request, it’ll be there. Or maybe I will make it myself later (actually,
it should be pretty easy to implement).

------
ams6110
I can't quite get what this is doing. My impression is that it's trying to
make it easy for me to authenticate to a website, using my phone somehow.

My idea for auth with QR codes would work something like:

a) initial setup: user establishes profile with website, including creating a
public/private key pair. Public key stays with the service, private key in the
user's phone/app.

b) To authenticate, website presents user with QR code containing a token
encrypted with user's public key.

c) user scans code with phone/app, decrypts token with private key, signs it,
and returns it to service, which verifies token and signature thus
authenticating user.

But then all you've done is validated the user on his/her phone... not on the
computer displaying the web page with the original QR code. What am I missing?

~~~
ProblemFactory
It is much simpler. It is authenticating the user to a website _in a mobile
browser_ , not on the desktop.

0\. The user must be already logged in to the website on their desktop via any
conventional means.

1\. The website generates a QR code with a hard-to-guess URL, unique for the
user.

2\. The user reads the QR code with their phone, and opens the link in the
mobile phone's browser.

3\. The URL is unique for the user and hard to guess, so the user can be
logged in their mobile browser without asking for an username and password.

~~~
aruseni
Correct. The only thing I’d also like to mention is security.

1\. If there are XSS vulnerabilities on the website, an attacker could be able
to use iframes (at least if you haven’t set X-Frame-Options to DENY) or
XMLHttpRequest to retrieve an authentication QR code and use it to log into
the user’s account.

2\. Even without any XSS, it is possible that someone who has access to the
user’s session (for example, if the user is still logged in on the website,
but is away from the computer) could scan the QR code and, therefore, log into
the user’s account.

Possible solutions include sending the QR code by email (actually, some users
are always logged into their email accounts as well, so this might be
meaningless) and prompting the user for their password before displaying the
QR code (it is still much easier to type the password on a desktop/laptop
computer’s keyboard rather than type the site address + login or email +
password on a mobile device’s virtual keyboard).

------
tl
Related question: Can anyone recommend a QR scanner for iOS that doesn't suck?
I use android personally, but was annoyed to learn that most / all iOS apps
lock you into a webview when you scan effectively blocking functions like add
to home screen and bookmarks.

~~~
joelhaasnoot
I think the reason Android works so well is the intent system is well thought
out and just works. That just doesn't exist on iOS

~~~
lukegb
That said, for opening links, Google's devised [1] for Chrome-ish on iOS to
abstract everything, but I believe (as an Android user and developer myself)
that all it takes is a

[[UIApplication sharedApplication] openURL:targetURL];

where targetURL is an NSUrl.

Chrome on iOS even allows you to specify a callback URL to return to.

[1] <https://developers.google.com/chrome/mobile/docs/ios-links>

------
ChrisNorstrom
!!! Be careful a similar version of this is patent pending. I know the guy
that came up with this 3 years ago when he showed us a demo.
<http://www.eletronic-badge.com>

I'm not sure if it's the exact same process though.

~~~
gojomo
Unless you are a patent expert professionally convinced of the legitimacy and
relevance of a patent, you shouldn't be promoting sketchy patent claims
widely. To do so aids patent trolls in their "willful infringement" claims,
and spreads vague FUD that suppresses new ideas prematurely.

Following the advice of Linus Torvalds [1] and other wise, experienced
technical leaders, I suggest all working engineers avoid idly reviewing
patents or patent claims unless and until a patent expert representing your
own interests advises that there is a credible threat of legal action and need
to understand specific patents.

Otherwise you're helping trolls and wasting time getting worked up over what
is, 99.99% of the time, nothing.

[1] <http://lwn.net/Articles/7636/>

~~~
aruseni
You, sir, are absolutely right.

------
dindresto
There's a similar library which does not depend on django and redis, called
quickerauth. <https://github.com/williamhogman/quickerauth>

------
anologwintermut
Why is this dependent on redis, let alone any database ? Couldn't you just
encode the username and expiration date in a URL along with a message
authentication code or cryptographic signature over the data? It should scale
way better and not involve installing a whole new database.

------
pmx
I like the idea of this but I think something in reverse would be much more
useful. For example, a keychain application on the phone that can log the user
into a website on any other device by scanning the barcode.

~~~
pajju
You created this account 30mins before to post this?

~~~
rpledge
I didn't even notice the account was green. Trust me, I would have just posted
at the top level, I have no need to create fake accounts.....

~~~
pmx
We are not the same person. I've lurked here for some time and never felt the
need to comment before this one, hence the new account. I'm not sure why
rpledge would even feel the need to create a fake account anyway, as he says
his comment would have been fine in the top level.

------
doc-m
Couldn't someone snap my qr code whilst I wasn't looking and have access to my
account on their phone? I think there's some interesting uses of qr codes for
authentication, but I'm not sure this is one of them.

------
dave5104
The idea behind making it easy to log into sites on your phone easily is nice.

But QR codes are probably a bad way of going about it. The average user just
doesn't know what to do with QR codes, and they have poor engagement (at least
if you're targeting this at non-Asian countries). How often have you ever seen
someone scanning a QR code? They're particularly a waste of space on
advertising--where that space could be used to place a URL that people know
what to do with.

Perhaps a better way to go about enabling this login process is asking for
their mobile number, and then just SMSing them a link to click.

~~~
aruseni
SMSing might be good, but there are also a few reasons not to do so. For
example, there are many users who don’t really want to enter their phone
number anywhere on the Internet (and it is actually a good point, at least you
get more privacy).

A few more reasons:

1\. There are always third parties (the SMS gateway, the carrier) when you
send SMS messages.

2\. You cannot receive SMS if there’s no signal or if there’s no cellular
module at all (a frequent use case on tablets, iPods, etc) — just the camera,
Internet connection, QR code scanning application. :)

3\. Sending SMS messages costs you money. In another hand, QR codes are
generated for free. Also, it usually takes more effort to set up (and also it
can break — relying on third party services is almost always less solid).

4\. SMS messages can be slow (and sometimes you don’t receive a message at
all). QR codes, in another hand, are very predictable and usually work pretty
well (at least if the camera works correctly).

------
fblp
What are some example use cases for this?

~~~
wx196
For example, you urgently need to complete some work and at the same time you
need to leave your working PC. But it seems to be additional security issue
for the website admin.

------
stesch
So, I need a desktop system to log into my mobile device? How often do you
need this in the real world?

------
coherentpony
Does anyone actually use QR codes? I see them everywhere and I _never_ use
them.

