Network Authentication to the Physical World

Abstract: Quick Response (QR) codes have been used for both non-authentication purposes and authentication & authorization of a user. The visual representation of a QR code requires a reader/decoder to convert the code to a readable resource for an application. This raises some concerns, such as: What kind of information and how much information can be stored in this representation? What kind of vulnerabilities are there when using this technology in some type of authentication? The concrete problem addressed in this thesis is whether a mobile device displaying a QR code can be used as an authenticator for an Axis Communications A8105-E Network Video Door Station. To solve this problem the thesis investigates the use of QR codes in authentication & authorization based upon displaying a QR code on a mobile device, scanning this code via a camera, and then verifying the code using a validation server. Two important issues were what information to put into the QR code (given that the QR code is to be read by a camera) and where the decoding process should be carried out. This thesis also considers multiple types of authentication. Moreover, the system contains multiple components which themselves rely on secure communication and well-designed protocols to ensure security (against popular methods of attack) and stability. A prototype of the proposed authentication process was evaluated using a testbed consisting of three door stations, an Android app, and a backend service for analysing QR codes and making an authentication & authorization decision. QR codes proved to be as secure as the current solutions, such as magnetic stripe or RFID access cards. Using QR codes together with the user’s mobile device also offered additional functionality, such as easy management of the device registration/deregistration and compatibility with multifactor authentication. The conclusion is with the current door station products and the finalized design of the software; it is possible to have a secure and scalable system which is also cost-effective by eliminating the need of human verification as well as equipment required for access card systems.