Authenticating physical location using QR codes and network latency

Abstract

QR codes are increasingly being used as a mechanism to transmit one time passwords (OTPs) between devices for the purpose of authentication due to their convenience, low cost, and the ubiquity of consumer mobile devices. Existing practice typically utilizes a single QR code which is relatively easy to capture and relay to an offsite attacker or collaborator. We propose a mechanism using a stream of rapidly changing QR codes that maintains the convenience, ubiquity, and low cost of the standard approach, while aiming to eliminate the viability of relay attacks. We test this setup using a university class attendance scenario and successfully distinguish between valid physically present users and invalid offsite attackers.