Animate Login is a proposed authentication scheme using QR codes and Internet-connected smart phones to allow a user to quickly sign into a web site without having to memorize or type in a username and password. The user only has to prove that they are in possession of their mobile phone. We've developed a demonstration app and web site for this approach which you can try if you have an Android smartphone.
- Read a description of the approach on the Galois blog.
- Try out the demonstration app and system.
- Get the code for the prototype or visit tiqr.org.
- Read the draft protocol description using REST & JSON.
- Read the great discussion on Reddit NetSec.
In this scheme, there is a single step for both account creation and for subsequent log-in: The user scans a QR code.
Account creation: When a user visits a web site for the first time, the site generates and displays a QR code for login, and the user scans it. An account is created for them. They have no need to generate and record a username or password or any other information.
Log in: When a user subsequently visits a web site and needs to log in, the site displays a QR code that the user scans with the same mobile phone. The user is logged in without having to remember a username or password, or even remember whether they have visited that web site before.
The user can choose to increase security by locking their phone and encrypting its data. Since the web site and the phone can exchange complex data, a strong password can be generated and stored without the user having to memorize it.