I need to verify that survey respondents are in the same physical room or video chat (to prevent industry espionage). The respondents can join by scanning a QR-code that opens a URL which embeds a code with 61 bits of entropy. The code and QR changes every 5 minutes.
However, as URLs tend to be considered security by obscurity, I'm a bit uncertain about allowing QR code sign in. Is this secure, or should respondents enter the code by hand instead?
Also, is 61 bits of entropy adequate?
And if this is insecure, would changing the QR code more rapidly provide greater security? I could make the code expire in 20 seconds and swap it after 5 seconds and achieve adequate usability.