0

I need to verify that survey respondents are in the same physical room or video chat (to prevent industry espionage). The respondents can join by scanning a QR-code that opens a URL which embeds a code with 61 bits of entropy. The code and QR changes every 5 minutes.

However, as URLs tend to be considered security by obscurity, I'm a bit uncertain about allowing QR code sign in. Is this secure, or should respondents enter the code by hand instead?

Also, is 61 bits of entropy adequate?

And if this is insecure, would changing the QR code more rapidly provide greater security? I could make the code expire in 20 seconds and swap it after 5 seconds and achieve adequate usability.

user3654410
  • 101
  • 2
  • I don't think it's really obscurity since it's still a secret, the same as a short-lived password in a POST request. – dandavis Dec 03 '20 at 09:38

1 Answers1

1

Those kinds of controls usually fail fast. It takes one person to do a video chat to another outside, and the QR can be sent in real time elsewhere.

61 bits of entropy is more than adequate for a code that expires in 5 minutes. And I don't see any problems by using an URL with quick expiration to login. It's the same mechanism that a lot of services uses for quick login. It's the magic link that, for example, Slack sends you to login.

The main issue is not the URL, is that making sure people are in the same room is not easily solvable.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • I think expecting a qr code to work over a streamed video is generous when half the time I seem to have trouble grabbing it IRL. – dandavis Dec 03 '20 at 09:40