Understanding QR Code Login: Principles, Token Authentication, and Implementation Steps

QR codes appear in many daily scenarios such as payments, system logins, and app downloads, raising questions about their safety and how they can be used for authentication.

QR code login is essentially an authentication method that must accomplish two tasks: tell the system who you are and prove it to the system, similar to password or SMS‑code logins.

Inform the system of the user identity.

Prove that identity to the system.

In a typical QR‑code login flow, the mobile app (already logged in) scans a QR code displayed on the PC, confirms the scan, and the same account becomes logged in on the PC without the user entering a password.

The proof of identity is achieved by the mobile app confirming the scan; the app does not transmit the password, only a confirmation that the logged‑in device performed the action.

Understanding QR Codes

Unlike one‑dimensional barcodes that store only numbers, two‑dimensional QR codes can encode any string, including URLs or arbitrary data, and can be generated or decoded with online tools.

System Authentication Mechanism

Modern mobile applications use a token‑based authentication scheme: after the first password login, the server issues a token that binds the account ID, device ID, and device type. The client stores this token and presents it with each API request.

const token = {
  acountid: '账号ID',
  deviceid: '登录的设备ID',
  deviceType: '设备类型，如 iso,android,pc......'
}

The server validates the token by matching the stored device information; if the device matches, the request is authorized. Because the token is tied to a specific device, stealing the token alone is insufficient without the corresponding device details.

General QR‑Code Login Steps

Overview

The PC, already logged out, requests the server to generate a QR code and sends its device information.

The server creates a unique QR‑code ID, binds it to the PC’s device info, and returns the ID.

The PC renders a QR code containing this ID and polls the server for status changes.

The user scans the QR code with a logged‑in mobile app, which sends the QR‑code ID and the user’s identity to the server.

The server binds the identity to the QR‑code ID and returns a temporary token to the mobile app.

The mobile app prompts the user to confirm login; upon confirmation it sends the temporary token to the server.

The server generates a final login token for the PC, which the PC receives during its next poll and uses to access protected resources.

QR‑Code Preparation

The PC initiates the process by sending a request to the server, which generates a QR‑code ID and associates it with the PC’s device data before returning the ID for QR‑code generation.

Scanning Phase

The mobile app scans the QR code, extracts the ID, and sends the user’s identity together with the ID to the server, which creates a temporary token and notifies the PC that the QR code has been scanned.

Status Confirmation

After the user confirms on the mobile device, the server creates the final login token for the PC; the PC receives this token via its polling mechanism and completes the login.

Summary

QR‑code login works by combining the uniqueness of a QR‑code ID with a token‑based authentication system, allowing a mobile device to securely convey identity to a PC without exposing passwords, and illustrating core concepts of both QR‑code technology and secure token handling.