A user was discovered using a QR code to log into a PC. Apparently, the password was put into a QR code generator and printed. The user:
- Provides their username
- Scans the QR code with a handheld scanner and is granted access
Our company utilizes handheld scanners for a variety of reasons so it is not feasible to use endpoint protection USB device control to block all scanners or brands of scanners. This user also uses handheld scanners for everyday work duties. We are curious of a creative way to prevent this technically. We also plan on addressing this administratively through policy. One idea was floated that if possible (through GPO):
- Having a startup script to disable scanners
- A log off script to disable scanners
- A login script to re-enable the scanner
The handheld scanner apparently shows as a generic HID keyboard in device manager. Does anyone know of a feasible way to block this or perhaps an alternative solution to the problem (blocking the device at login)? Thank you!