JOURNAL OF NETWORKS, VOL. 5, NO.

8, AUGUST 2010 937

A Novel User Authentication Scheme Based on

QR-Code
Kuan-Chieh Liao
Department of Accounting & Information Systems,
ASIA University, Taichung, Taiwan, R.O.C.
Email: lkc@asia.edu.tw

Wei-Hsun Lee
Department of Information Science and Applications,
ASIA University, Taichung, Taiwan, R.O.C.
Email: weishun2003@gmail.com

Abstract—User authentication is one of the fundamental to establish the trust relationship under open network
procedures to ensure secure communications and share environments. Password-based authentication scheme is
system resources over an insecure public network channel. the most common method to check the validity of the
Thus, a simple and efficient authentication mechanism is login message and authenticate the user.
required for securing the network system in the real
environment. In general, the password-based authentication
One-time password is a password that is only valid for
mechanism provides the basic capability to prevent a single login session or transaction. The one-time
unauthorized access. Especially, the purpose of the one-time password avoids various shortcomings associated with
password is to make it more difficult to gain unauthorized traditional static password, such as replay attack,
access to restricted resources. Instead of using the password dictionary attack, and phishing attack. This means that, if
file as conventional authentication systems, many a potential intruder manages to record a one-time
researchers have devoted to implement various one-time password that was already used to log into a service or to
password schemes using smart cards, time-synchronized conduct a transaction; he will not be able to abuse it since
token or short message service in order to reduce the risk of it will be no longer valid. Therefore, the purpose of the
tampering and maintenance cost. However, these schemes
are impractical because of the far from ubiquitous
one-time password is to make it more difficult to gain
hardware devices or the infrastructure requirements. To unauthorized access to restricted resources.
remedy these weaknesses, the attraction of the QR-code On the hand, one-time password schemes cannot be
technique can be introduced into our one-time password memorized by human beings. For this reason, they
authentication protocol. Not the same as before, the require additional technology in order to work. Basically
proposed scheme based on QR code not only eliminates the one-time password schemes can be classified into the
usage of the password verification table, but also is a cost following four categories:
effective solution since most internet users already have
mobile phones. For this reason, instead of carrying around a
separate hardware token for each security domain, the A. Based on the mathematical algorithm
superiority of handiness benefit from the mobile phone In 1981, Lamport [8] first proposed the one-time
makes our approach more practical and convenient.
password authentication scheme by using the one-way
Index Terms—one-time password; user authentication; QR- hash chain. However, if an indefinite series of passwords
code; mobile phone is wanted, a new seed value need to be chosen after the
set of old hash chain is exhausted. Especially,
maintaining a password file to verify the user’s
I. INTRODUCTION authentication request also increases the risk of tampering
and maintenance cost. For this reason, many researchers
With the rapid development of computer network [1][3][4][11][16][18] have proposed various user
technologies, more and more computers connect together authentication schemes using smart card to improve the
to exchange great information and share system resources. security, the cost or the efficiency.
Security is then an important issue for computer networks.
To prevent the information from being accessed by
illegitimate or unauthorized users, remote authentication B. Based on the smart card
of users is certainly one of the most important services. Due to the tamper-resistance and convenience in
User authentication is the essential security mechanism managing a password file, smart cards have been widely
adopted in many remote authentication schemes
Manuscript received May 20, 2009; revised November 30, 2009. [1][3][4][11][16][18]. However, carrying around the
The associate editor coordinating the review of this paper and cards and the reader remains a burden to users. Since the
approving it for publication was Dr. Hsing-Chung Chen. card and the reader are far from ubiquitous, thus this

© 2010 ACADEMY PUBLISHER

doi:10.4304/jnw.5.8.937-941
938 JOURNAL OF NETWORKS, VOL. 5, NO. 8, AUGUST 2010

obstacle has restricted the application of smart card based feasibility evaluation and security analysis are discussed.
authentication schemes. Finally, this paper concludes in Section V.

C. Based on the time-sychronized token

II. BASIC CONCEPT OF THE QR-CODE
The time-synchronized one-time passwords are usually
related to physical hardware tokens. Inside the token is an The QR-code [7] is a two-dimensional barcode
accurate clock that has been synchronized with the clock introduced by the Japanese company Denso-Wave in
on the authentication server. Recently, it has become 1994. It contains information in both vertical and
possible to take the electronic components associated horizontal directions, whereas a classical barcode has
with regular key fob one-time password tokens such as only one direction of data. Compared to classical barcode,
those from InCard [6], RSA [15], SafeNet [9], and Vasco a QR-code can hold a considerably greater volume of
[17]. However, for the same reason as the smart card information: 7,089 characters for numeric only, 4,296
based schemes, these approaches are also inconvenient characters for alphanumeric data, 2,953 bytes of binary (8
because of the cost of one-time password hardware and bits). The “QR” is derived from “Quick Response”, as the
the infrastructure requirements. creator intended the code to allow its contents to be
decoded at high speed. In addition, QR-Code also has
error correction capability. Data can be restored even
D. Based on the Short Message Service (SMS) when substantial parts of the code are distorted or
Since SMS is a ubiquitous communication channel and damaged.
being available in all handsets. However, SMS is a best Many cellular phones with embedded camera
effort delivery, which means that the phone company will nowadays are natively equipped with the QR-code
try to deliver it, but they will not guarantee it will get decoding software. With the aid of the equipment, it’s
there, or if it does how long it will take. It should be simply for a human to manually decode QR-codes and
noted that one-time passwords should have a time to live then displays, manipulates, or stores the information on
as a security feature. Moreover, the SMS based scheme their mobile devices. Figure 1 and Figure 2 illustrate the
till incurs extra charges. Thus, it is impractical and is not QR-code encoding and decoding diagrams respectively.
necessarily a low total cost solution.

These above-mentioned obstacles have obviously

restricted the practicability of the one-time password
authentication schemes. Therefore, it is very interest to
devise a solution which can overcome these drawbacks.
Due to the rapid advances in mobile communication
technologies, QR-code [7] in the embedded camera
devices has been used as new input interfaces. The Figure 1. QR-code encoding diagram.
mobile phones with embedded camera can capture the
QR-codes and decode them with software running on the
phone [2]. Meanwhile, there are many advantages to use
the QR-code in mobile phones such as omni-direction
readability and error correction capability. For this reason,
mobile phones adopt the QR-code to support many
services nowadays such as booking tickets, paying a fee
and URL reading [10][13][19].
So an interesting approach proposed in this paper is
adopting the widely used QR-code technique to support
the one-time password system, since the QR-code
applications with mobile phones can derive the benefits
inherited from QR-code, such as the large capacity, the
small printout size, the high speed scan, the damage
Figure 2. QR-code decoding diagrams.
resistance and the data robustness. Besides, various
properties, such as mobility and handiness, benefit from
the mobile device make our approach more practical. QR-codes are part of daily life in Japan, Korea, Taiwan,
Thus, our approach could be more convenient since the Hong Kong, and China. Moreover, depending on the type
users would not need to carry around a separate hardware of data recognized and the nature of the application,
token for each security domain to which they require alternative actions can follow the decoding stage: a phone
access. number can be automatically dialed, a short text message
This paper is organized as follows. Section II gives the can be sent, a web page corresponding to the decoded
basic concept of the QR-code. In Section III, the URL can be displayed in a mobile browser, or a definite
proposed QR-code based one-time password application can be executed. Thus, due to QR-codes now
authentication scheme is given. In Section IV, the appear in magazines, advertisements, product wrappings,

© 2010 ACADEMY PUBLISHER

JOURNAL OF NETWORKS, VOL. 5, NO. 8, AUGUST 2010 939

T-shirts, passports, business cards and on subway

billboards in Japan, most current Japanese mobile phones
can read this code with their camera.
However, at a consumer market level, QR-codes are
virtually unknown outsides of Asia. [14] Fortunately, for
camera phones that are not equipped with QR-code
readers, QuickMark [12] and I-nigma [5] both provide
free tools that are available for many manufactured
models and devices to decode QR-Codes simply.
Figure 3. Registration phase.

III. PROPOSED SCHEME

B. Verification Phase
The major concern of our scheme is to make use of the
deployed widespread QR-code techniques in order to The verification phase is shown as follows. Besides,
eliminate the drawbacks of the prior one-time password the steps for verification phase are also shown in Figure 4.
schemes. The convenient integration of the web-based 1) User A sends IDA and T1 to SP, where T1 is the
application and the mobile devices’ usage makes our time stamp attached by the User A.
scheme more practical. 2) SP examines whether the time stamp T1 is correct.
The proposed scheme involves two parties: a service If it is invalid, then rejects it. Otherwise, he chooses a
provider (SP for short) and remote users. Each authorized random number r, computes
user can request service from SP with the granted access
rights. In addition, each user hold a mobile phone with xA = h(IDA, s), and
embedded camera, therefore he can take a picture of the
QR-code image and then decode it. Our scheme is α = r ♁ xA, (2)
divided into two phases: Registration and Verification and then sends EQR(α), h(r, T1, T2), and T2 to User A,
phases. The notation in TABLE I is employed throughout where T2 is the time stamp attached by the SP.
this paper.
3) User A examines whether the time stamp T2 is
correct. If it is invalid, then rejects it. Otherwise, he
TABLE I. NOTATION derives r by computing
r = DQR(EQR(α)) ♁ xA. (3)
Notation Description
with his embedded camera devices. After that, User A
h(·) An one-way hash function
examines whether h(r, T1, T2) is correct. If holds, then
EQR(·) A function that encodes data into QR-code image User A sends h(r, T2, T3) and T3to SP.
A function that decodes the QR-code image captured in 4) SP examines whether the time stamp T3 is correct.
DQR(·)
an embedded camera device If it is invalid, then rejects it. Otherwise, he checks
s SP’s long-term secret key whether h(r, T2, T3) is correct. If holds, then SP is
T1 , T2 Time stamps convinced that User A is validated. Otherwise, the
request is rejected.

A. Registration Phase
Without loss of generality, assume that a User A with
an embedded camera mobile device wants to join the
system. Then, SP and User A carry out the following
registration procedures. Besides, the steps for
Registration phase are shown in Figure 3.
1) User A sends his identity IDA to SP.
2) SP computes
xA = h(IDA, s) (1)
and sends xA to User A’s mobile device via a secure
channel.
3) User A’s mobile device stores xA as the long-term
secret key.

Figure 4. Verification phase.

© 2010 ACADEMY PUBLISHER

940 JOURNAL OF NETWORKS, VOL. 5, NO. 8, AUGUST 2010

IV. DISSCUSSIONS On the other hand, if an adversary intercepts the

information being transmitted over the public channel, it
In the proposed QR-code based remote authentication
is still infeasible to derive r from h(r, T1, T2) and h(r, T2,
model, instead of adopting the traditional smart card in
T3), because that the one-way hash function is
our scheme, the user’s mobile phone takes the
unreversable.
responsibility for capturing the QR-code image and
decoding them. For this reason, the feasibility evaluation
4) Man-in-the-middle attack and replay attack
of the operations in the mobile phone is especially
Suppose that the intruder replays a legal request with
discussed in this section. Also, some possible attacks
time stamp T3 intercepted from the public channel and the
against the proposed scheme are taken into account.
SP receives the access request message at the time T3’.
Since that T3’-T3 is not less than the legal time interval,
A. Feasibility Evaluation the service provider will reject it.
According to equation (3), it can be observed that the In addition, r is a random number chosen by SP from
embedded camera mobile device only need to carry out a time to time. Thus, both the man-in-the-middle attack and
QR-code decoding operation and a logical operation, the replay attack will fail.
exclusive OR. Thus, it is obviously to see that the overall
computational load is acceptable.
On the other hand, from the view point of the user’s V. CONCLUSION
computer, instead of using an extra random number In the humanistic society today, the design for daily
generator, the time stamps T1 and T3 are applied to product or various systems must be designed under the
strengthen the security of the one-time password r. consideration of human habits and convenience as well as
Without the random number generator loading, it is daily product. The motivation of this paper is the first to
consequently more efficient and suitable for the remote propose a QR-code based one-time password
user. authentication protocol, which not only eliminates the
In addition, from the view point of the service provider, usage of the password verification table, but also is a cost
no extra cost is necessary to create and maintain the effective solution since most internet users already have
password table for storing each user’s long-term secret mobile phones. From the user’s vision, our approach
key. Accordingly, without maintaining a password file to could be more convenient, because the burden of carrying
verify the user’s authentication request can decrease the a separate hardware token or extra charges from the Short
risk of tampering and maintenance cost successfully. Message Service can be removed. Thus, the contribution
Therefore, according to the foregoing discussions, it is therefore obviously.
can be seen that the proposed authentication protocol
based on QR-code is efficient and practical.
REFERENCES
B. Security analyses [1] H. Y. Chien, J. K. Jan, and Y. M. Tseng, “An efficient and
practical solution to remote authentication: smart card,”
Computers & Security, Vol. 21, No. 4, pp. 372– 375, 2002.
1) Security risk of the user’s mobile phone
[2] T. Falas, H. Kashani, “Two-Dimensional Bar-code
Since the mobile phone has the user’s long-term secret Decoding with Camera-Equipped Mobile Phones,”
key, therefore, it needs to be well-protected. Fortunately, Proceedings of the Fifth Annual IEEE International
the mobile phones with embedded camera in our scheme Conference on Pervasive Computing and Communications
Workshops, 19-23, March, 2007, pp. 597-600.
only capture the QR-code and decode them with software
[3] H. C. Hsiang, W. K. Shih, “Weaknesses and improvements
running on the phone. Accordingly, the mobile device of the Yoon–Ryu–Yoo remote user authentication scheme
isn’t directly exposed to other malicious users. Thus, using smart cards,” Computer Communications, Vol. 32,
under this reasonable assumption, the risks generated by Issue 4, pp. 649-652, 2009.
the mobile phone will be significantly reduced. [4] M. S. Hwang and L. H. Li, “A new remote user
authentication scheme using smart cards,” IEEE
Transactions on Consumer Electronics, Vol. 46, No. 1, pp.
2) Security risk of the SP 28–30, 2000.
It is infeasible for an attacker to derive SP’s secret [5] I-Nigma: Retrieved November 2009 from: http://www.i-
values s according equation (1), because that the one-way nigma.com/.
hash function is unreversable. [6] InCard DisplayCards: Retrieved November 2009 from:
On the other hand, the attack of impersonating CA will http://www.incard.com/products.html.
also fail, because he still cannot derive xA without the [7] ISO/IEC 18004:2000. Information technology-Automatic
identification and data capture techniques-Bar code
knowledge of s. Symbology-QR Code, 2000
[8] L. Lamport, “Password authentication with insecure
3) Security risk of the remote user communication,” Communications of ACM, Vol. 24, No.
According to equation (2) and (3), it can be observed 11, pp. 770-772, 1981.
that it is infeasible to obtain the valid user’s long-term [9] OTP Authenticators, “Retrieved November 2009 from:
secret key xA without the knowledge of the corresponding http://www.safenet-
inc.com/Products/Data_Protection/Multi-
random number r. Factor_Authentication/OTP_Authenticators.aspx.

© 2010 ACADEMY PUBLISHER

JOURNAL OF NETWORKS, VOL. 5, NO. 8, AUGUST 2010 941

[10] T. S. Parikh and E. D. Lazowska, “Designing an

architecture for delivering mobile information services to
the rural developing world,” Proceeding of the Seventh
IEEE Workshop on Mobile Computing Systems and Kuan-Chieh Liao was born in Taichung,
Applications, Washington DC, USA, April 2006, pp.31-33. Taiwan on September 23, 1979. He
[11] M. Peyravian and C. Jeffries, “Secure remote user access received his B.S., M.S. and Ph.D. degrees
over insecure networks,” Computer Communications, Vol. in Department of Information
29, Issue 1, pp. 660-667, 2006. Engineering & Computer Science from
[12] Quickmark. Retrieved November 2009 from: Feng Chia University, Taichung, Taiwan,
http://www.quickmark.com.tw/. in 2001, 2002 and 2007 respectively.
[13] J. Rekimoto and M. Saitoh, “Augmented Surfaces: A Since August 2008, he has been with
Spatially Continuous Work Space for Hybrid Computing Accounting and Information Systems
Environments,” Proceedings of the ACM Conference on Department at Asia University, Taichung,
Human Factors in Computing Human Interaction, Taiwan, as an Assistant Professor. His current research interests
Pittsburgh, PA, 15-20 May, 1999, pp. 378-385. include cryptography, steganography, and network security.
[14] J. Rouillard, “Contextual QR Code,” Proceedings of the
Third International Multi-Conference on Computing in the
Global Information Technology, Athens, Greece, July 27 –
August 1, 2008, pp. 50-55.
[15] RSA SecureID. Retrieved November 2009 from: Wei-Hsun Lee was born in Taipei,
http://www.rsa.com/node.aspx?id=1156. Taiwan on April 19, 1986. He received
[16] H. M. Sun, “An efficient remote user authentication his B.S. degree from the Computer
scheme using smart cards,” IEEE Transactions on Science & Information Engineering,
Consumer Electronics, Vol. 46, No. 4, pp. 958-961, 2000. ASIA University, Taichung, Taiwan, in
[17] VASCO. Retrieved November 2009 from: 2008. He is currently pursuing his M.S.
http://www.vasco.com/solutions/partners/novell.aspx. degree in Department of Information
[18] J. Xu, W. T. Zhu, and D. G. Feng, “An improved smart Science and Applications, ASIA
card based password authentication scheme with provable University. His current research interests
security,” Computer Standards & Interfaces, Volume 31, include information security,
Issue 4, pp. 723-728, , June 2009.
cryptography, and electronic commerce.
[19] G. Yu, Z. Wang, Y. Li, and L. He, “An application and
implementation of two-dimensional symbols for circuit
board quality control system,” Proceedings of the 2nd
IEEE International Conference on Industrial Informatics,
Berlin, 26 June, 2004, pp.397-401.

© 2010 ACADEMY PUBLISHER