

ShowHN: Login to any site by scanning a QR Code - rpledge
http://qrauth.com

======
oakenshield
Cool implementation. Were you inspired by the Google 2-factor approach to log
in to Goog websites that was pulled?

[http://www.readwriteweb.com/archives/google_launches_qr_code...](http://www.readwriteweb.com/archives/google_launches_qr_code-
based_login_security_measu.php)

As others said, I'd love to see an android version. However, before I use it
for my important Web service accounts, I'd like the ability to encrypt my
passwords both on the phone app and the browser plugin with a key known only
to me so I don't have to trust your service with my cleartext passwords.

~~~
rpledge
I was working on this when google tested that feature. I actually started the
project as a 2 factor authentication system but scaled it back to this version
of the initial release at least. There's a chicken/egg problem with getting
websites to adopt without needing the browser plugin.

I like your password idea, its a nice feature. I'll add it to my idea list.
Thanks for the feedback!

------
jonny_eh
I just tried it out. Works quite well! I think this is pretty damn cool.

Feature requests:

\- The ability to add sites to the db using the extension (unless I missed
this). Typing on the iphone's a pain vs typing on my laptop.

\- A way to quickly copy the credential data from the iOS app so it can be
used in other iOS apps.

\- A password auto-generator.

\- Dropbox support. That way this could sync up and work across platforms, and
wouldn't require me to trust you with my precious data. (I'm already trusting
dropbox, for better or worse, but at least there I can ensure it's encrypted)

~~~
rpledge
Glad you like it. All those features are planned.

There is support for iCloud which tries to sync the database between phones.
I've found iCloud syncing of databases to be slow in my testing, but it does
seem to do it eventually. Speed probably isn't a big issue for day to day use,
but it made testing the sync feature frustrating.

------
apinstein
How is this better than something like 1Password? The only difference seems to
be that instead of entering my master password in the browser extension, it's
on my phone and I have to do extra work to log into the web site... I don't
see any real security advantage, and the UX is much worse. Maybe I am missing
something though.

~~~
jonny_eh
I'm trying this out because I don't want to shell out $50 for the 1Password
OSX app and then $15 for their iOS app.

I also see an advantage of not needing to constantly type in a master
password, which can be seen by anyone standing around me.

------
ragmondo
what bit talks to the browser? Don't websites need to be "QRAuth" enabled?
Have I just asked one of those questions which is "funny you should ask
that..." ?

~~~
rpledge
There's a browser extension (Chrome/Safari/FF) that does the hookup. Basically
it talks to our server to request a QR Code. When the code is scanned, the
users credentials are encrypted on the phone, sent to our server which passes
them along to the browser extension.

I do have a version that doesn't require the browser extension, but that does
require the website to add some javascript and do some backend work to enable
it.

------
zalew
what problem is it solving?

~~~
byoung2
It's gotten to the point that the average person needs to remember dozens of
passwords for various sites. You can't use the same password for everything
because one could be hacked, compromising all of them, and even if that's not
an issue, every site has different password strength requirements. This
approach lets you use a very complex password for each site without making you
memorize it. I just wish there were an Android version.

~~~
rpledge
Android is in the plans. The main reason I started with iOS was that I had
access to the devices.

~~~
byoung2
That's great to hear! Let me know if you need someone to test with android. My
wife was excited when I told her about the app...her current solution is a big
Google doc with all of her important passwords!

