How QR Code Login Works: From Tokens to Secure Authentication

QR codes appear in many daily scenarios such as payments, system logins, and app downloads. Understanding their principles helps both technical and non‑technical users make safer choices and consider QR‑code based solutions.

Essence of QR Code Login

QR‑code login is a form of authentication that performs two essential tasks: telling the system who you are and proving it.

Identify the user (e.g., account name or phone number).

Prove the identity (e.g., password, verification code, or QR‑code confirmation).

In QR‑code login, the mobile app, already logged in, scans a QR code displayed on the PC, confirms the action, and the PC logs in with the same account.

Understanding QR Codes

QR codes are two‑dimensional barcodes that can encode any string, not just numbers. Online generators can convert text, URLs, or files into QR codes and decode them back.

System Authentication Mechanism

Modern apps use token‑based authentication. After the initial username/password login, the server issues a token bound to the account and device. The client stores the token and presents it with each API request. The server validates the token against stored device information.

const token = {
  acountid: '账号ID',
  deviceid: '登录的设备ID',
  deviceType: '设备类型，如 iso,android,pc......'
}

The token is used instead of the password, and because it is tied to a specific device, it remains secure even if intercepted.

General Steps of QR‑Code Login

Overall Flow

The PC, already logged out, requests the server to generate a QR code and sends its device info.

The server creates a unique QR‑code ID, binds it to the PC’s device info, and returns the ID.

The PC renders a QR code containing this ID.

The PC polls the server for the QR‑code status.

Scanning Phase

The user scans the QR code with a logged‑in mobile app, extracting the QR‑code ID.

The mobile app sends its identity and the QR‑code ID to the server.

The server binds the identity to the QR‑code ID and returns a temporary token to the mobile app.

The PC, still polling, sees the status change to “scanned”.

Confirmation Phase

The mobile app shows a confirmation prompt; the user confirms login.

The mobile app sends the temporary token to the server to confirm.

The server generates a final login token for the PC based on the bound account and device info.

The PC receives the token via its polling request and completes the login.

During this process, the QR code carries a unique ID that links the PC and mobile device, while tokens ensure secure, one‑time authentication.

Summary

QR‑code login combines QR‑code encoding, token‑based authentication, and stateful polling to let a user log into a PC by confirming a scan on a trusted mobile device, without transmitting passwords.