Let users verify instantly with QR code authentication

Let users log in to a desktop, kiosk, TV, or payment terminal by scanning a QR code with their mobile app. Cryptographic cross-device authentication that's instant, phishing-resistant, and requires no passwords or one-time codes.

Start for freeView the docs
Screen with a QR code labeled Scan to authenticate next to a phone showing an authentication request from Terminal #4 in Sydney with Approve and Decline buttons.
First credit union logo
MoneyGram logo
Qualcomm logo
Simplicity logo
Hnry logo
Air New Zealand logo
Trademe logo
First credit union logo
MoneyGram logo
Qualcomm logo
Simplicity logo
Hnry logo
Air New Zealand logo
Trademe logo

Passwordless cross-device authentication for any screen

The private key never leaves the user's device. No codes are transmitted. No passwords are shared. When a user scans the QR code, they see the full context of the request on their phone, IP address, location, and device info, before they approve. It's cross-device authentication with a built-in trust check.

Deploy it with Authsignal's Web SDK to generate QR codes and Mobile SDK to respond to challenges, and trigger it anywhere in your user journey using the adaptive MFA rules engine.

Traditional login

Diagram showing the risks of traditional login on a shared screen. A login form for "Simplify" displays username and password fields with a Sign In button. An arrow points down to a warning: "Credentials exposed on screen." A second arrow points to a list of credential risks including shoulder surfing, keyloggers, and shared kiosk memory. The diagram concludes with a red alert banner labeled "Credential exposure risk."

QR code authentication

Diagram showing how QR code authentication works on a shared screen. A QR code is displayed with an "Approve login" prompt beneath it. An arrow points down to a green checkmark step: "Review context on personal device." A second arrow points to a "One tap to approve" section listing four benefits: no typing on kiosk, no password transmitted, context visible to user, and cryptographic proof. The diagram concludes with a green banner labeled "Zero credential exposure."

How QR code authentication works

Cryptographic proof. Authentication complete.

Start integrating in minutes
Generate the challenge.
Your backend tracks the action and your Web SDK generates a QR code containing a unique challenge ID. The code is displayed on the desktop, kiosk, TV, or terminal screen.
Scan and claim.

The user scans the QR code with their enrolled mobile app. The Mobile SDK claims the challenge and surfaces context including IP address, location, and device info so the user can verify the request is legitimate.
Approve or declined.
The user reviews the context and taps approve or decline. Their device uses the stored private key to cryptographically sign the challenge.
Real-time state update.
The onstateChange callback fires on the originating device. Your UI can respond immediately, blur the QR code when claimed, redirect when approved, or prompt a retry when declinded.
Complete authentication.
Your backend receives the token and validates the challenge. If approved, the session is authenticated.

Key features

Cross-device login without credentials

Users authenticate on any screen using only their mobile device. No passwords typed on shared screens. No codes copied across devices. Works out of the box with any device.

Real-time state updates via WebSocket

The originating device gets instant state updates as the challenge moves from generated to claimed to approved or declined. Use these to update your UI in real time and redirect when approved.

Context shown to the user before approval

When a user scans a QR code, they see the request context on their phone including IP address, location, device info, and any custom data you pass. This lets them make an informed decision before approving.

Works for anonymous and identified challenges

Generate QR code challenges claimable by any user, ideal for kiosks and shared screens, or lock them to a specific user ID for higher-assurance flows. No extra config needed.

Adaptive MFA built in

Connect QR code authentication to Authsignal's rules engine. Run risk rules on the action based on transaction value, velocity, and location. Only trigger a step-up challenge when risk warrants it.

Web and Mobile SDK in one integration

The Web SDK handles QR code generation on the originating device. The Mobile SDK handles scanning, claiming, and approving on the user's phone. One platform, two SDKs.

Use cases

Built for every screen your users stand in front of.

Desktop and web app login. Let users sign in to a desktop or web application by scanning a QR code with their mobile app. No password required. Ideal for shared workstations, enterprise environments, or any product adopting passwordless authentication.
Desktop and web app login. Let users sign in to a desktop or web application by scanning a QR code with their mobile app. No password required. Ideal for shared workstations, enterprise environments, or any product adopting passwordless authentication.
Kiosk authentication without credentials. Identify users at a kiosk instantly. Loyalty programs, rewards, offers, and personalised experiences load the moment a user scans and approves, without entering credentials on a shared screen.
Kiosk authentication without credentials. Identify users at a kiosk instantly. Loyalty programs, rewards, offers, and personalised experiences load the moment a user scans and approves, without entering credentials on a shared screen.
Quick service restaurant (QSR). Let customers scan to load their loyalty account, redeem offers, or complete a payment at a QSR terminal. Fast, hygienic, and credential-free.
Quick service restaurant (QSR). Let customers scan to load their loyalty account, redeem offers, or complete a payment at a QSR terminal. Fast, hygienic, and credential-free.
QR code login for TV and connected devices. Solve the painful TV app login experience. Instead of entering credentials with a remote control, users scan a QR code on screen with their phone and authenticate in seconds.
QR code login for TV and connected devices. Solve the painful TV app login experience. Instead of entering credentials with a remote control, users scan a QR code on screen with their phone and authenticate in seconds.
Payment terminal verification with strong customer authentication. Cryptographic approval at the point of sale. Users scan, review the transaction on their phone, and confirm — no friction, no redirects.
Payment terminal verification with strong customer authentication. Cryptographic approval at the point of sale. Users scan, review the transaction on their phone, and confirm, no friction, no redirects.

Code preview

QR code authentication in your app in minutes.

View the mobile SDK documentation
iOS
Android
React Native
Flutter
Generate a QR code challenge
const { data } = await authsignal.qrCode.challenge({
  action: "signIn",
});

displayQRCode(data.challengeId);
Scan and approve on mobile
await authsignal.qr.claimChallenge(
    challengeId: challengeId
)

await authsignal.qr.updateChallenge(
    challengeId: challengeId,
    approved: true
)
Validate server-side
const response = await authsignal.validateChallenge({
  action: "signIn",
  token: "eyJhbGciOiJIUzI....",
});

if (response.state === "CHALLENGE_SUCCEEDED") {
  // Session authenticated
}
Generate a QR code challenge
const { data } = await authsignal.qrCode.challenge({
  action: "signIn",
});

displayQRCode(data.challengeId);
Scan and approve on mobile
authsignal.qr.claimChallenge(
    challengeId = challengeId
)

authsignal.qr.updateChallenge(
    challengeId = challengeId,
    approved = true
)
Validate server-side
const response = await authsignal.validateChallenge({
  action: "signIn",
  token: "eyJhbGciOiJIUzI....",
});

if (response.state === "CHALLENGE_SUCCEEDED") {
  // Session authenticated
}
Generate a QR code challenge
const { data } = await authsignal.qrCode.challenge({
  action: "signIn",
});

displayQRCode(data.challengeId);
Scan and approve on mobile
await authsignal.qr.claimChallenge({
    challengeId: challengeId
})

await authsignal.qr.updateChallenge({
    challengeId: challengeId,
    approved: true
})
Validate server-side
const response = await authsignal.validateChallenge({
  action: "signIn",
  token: "eyJhbGciOiJIUzI....",
});

if (response.state === "CHALLENGE_SUCCEEDED") {
  // Session authenticated
}
Generate a QR code challenge
const { data } = await authsignal.qrCode.challenge({
  action: "signIn",
});

displayQRCode(data.challengeId);
Scan and approve on mobile
await authsignal.qr.claimChallenge(
    challengeId: challengeId
)

await authsignal.qr.updateChallenge(
    challengeId: challengeId,
    approved: true
)
Validate server-side
const response = await authsignal.validateChallenge({
  action: "signIn",
  token: "eyJhbGciOiJIUzI....",
});

if (response.state === "CHALLENGE_SUCCEEDED") {
  // Session authenticated
}
“Implementing FIDO authentication through Authsignal has been a game-changer for our members’ digital experience. It’s secure, seamless and sets a new standard for trust in online banking.”
Herb Wulff, Treasury and Agency
Banking Manager, First Credit Union
+
58.4
%
of members adopted the new authentication experience
+
54.5
%
of all authentications now use passkeys
+
23,500
members enrolled in multi-factor authentication

Free to start.

Works with your existing identity stack.

Start for free

Pair it with different authentication methods

Pair in-app verification with the right method for every scenario.

In-app verification

Silently verify high-risk actions on the user's own device

Silently verify high-risk actions on the user's own device

Push verification

Approve high-risk actions with a single tap on a push notification

Approve high-risk actions with a single tap on a push notification

Passkeys

The strongest, most user-friendly passwordless authentication available

The strongest, most user-friendly passwordless authentication available

Biometric authentication

Face and palm biometrics for high-assurance mobile identity

Face and palm biometrics for high-assurance mobile identity

Every screen is an authentication opportunity. Make it seamless.

Add QR code authentication to your desktop, kiosk, TV, or payment terminal and give users a faster, safer way to prove who they are without touching a keyboard.

Start for freeTalk to us

Frequently asked questions

What is QR code authentication?

QR code authentication is a cross-device login method where a user scans a QR code displayed on one screen (a desktop, kiosk, TV, or terminal) with their enrolled mobile app to authenticate. It uses public key cryptography, so no passwords or codes are transmitted.

How is QR code verification different from in-app verification?

In-app verification silently authenticates a user on the same device they're already using. QR code verification is designed for cross-device scenarios where the challenge originates on one screen and is approved on another.

Can I show users context before they approve a QR code challenge?

Yes. When a user scans the QR code, the Mobile SDK surfaces the context of the originating request including IP address, location, device info, and any custom data you pass, so they can verify the request is legitimate before approving.

Can QR code challenges be claimed by any user or locked to a specific user?

Both. You can generate anonymous challenges claimable by any enrolled user, ideal for shared kiosks, or track an action for a specific user ID to lock the challenge to that user for higher-assurance flows.

Does QR code verification work without WebSockets?

Yes. The Web SDK defaults to WebSocket connections for real-time state updates but supports a polling fallback via REST API for environments that don't support WebSockets.

Does QR code authentication satisfy strong customer authentication (SCA) requirements?

Yes. Cryptographic, device-bound QR code verification meets possession-based SCA requirements under PSD2, RMiT, and PCI DSS. Talk to our team for jurisdiction-specific compliance guidance.