How QR Code Login Works: From Token Authentication to Secure Scanning

This article analyzes the QR‑code login mechanism that is frequently asked in technical interviews at major companies such as Alibaba, Tencent, and JD.

QR Code Basics

QR codes appear in many daily scenarios—shopping, payments, app downloads, etc. Understanding their principle helps developers choose appropriate technologies and helps non‑technical users recognize legitimate codes.

Two‑Step Authentication Concept

Login authentication can be broken down into two tasks:

Tell the system who I am.

Prove to the system that I am who I claim to be.

For example, a username/password login uses the username to identify and the password to prove identity; a mobile verification code uses the phone number to identify and the code to prove.

Token‑Based Authentication

After a successful password login, the server binds the account with the device and issues a token that represents this binding. The token is stored client‑side and sent with each API request.

const token = {
  accountId: '账号ID',
  deviceId: '登录的设备ID',
  deviceType: '设备类型，如 iOS, Android, PC ...'
};

The token alone is not enough; the server also checks the device information to ensure the request originates from the bound device.

QR Code Login Flow

The overall process consists of the following steps:

PC displays a QR code that contains a unique QR‑code ID bound to the PC device.

The user scans the QR code with a logged‑in mobile app; the mobile app sends the QR‑code ID and its identity to the server.

The server generates a temporary token linking the mobile identity with the QR‑code ID and returns it to the mobile app.

The mobile app shows a confirmation prompt; after the user confirms, the server creates a permanent login token for the PC and returns it.

The PC, which is polling the server, receives the token and completes the login.

During this process the QR code transitions through three states: waiting for scan, scanned (awaiting confirmation), and confirmed.

Key Points

The QR code contains either a plain ID or a URL that includes the ID.

A temporary token is single‑use and ensures that the scan and confirmation come from the same mobile device.

The token‑based mechanism protects the password from being transmitted or stored on the PC.

Summary

QR‑code login relies on token authentication and stateful QR‑code IDs to securely convey the user’s identity from a trusted mobile device to a PC or web client, eliminating the need to input passwords on the target device.