Authentication and transaction verification using QR codes with a mobile device

Yang Wai Chow, Willy Susilo, Guomin Yang, Man Ho Allen Au, Cong Wang

Research output: Chapter in book / Conference proceedingConference article published in proceeding or bookAcademic researchpeer-review

7 Citations (Scopus)


User authentication and the verification of online transactions that are performed on an untrusted computer or device is an important and challenging problem. This paper presents an approach to authentication and transaction verification using a trusted mobile device, equipped with a camera, in conjunction with QR codes. The mobile device does not require an active connection (e.g., Internet or cellular network), as the required information is obtained by the mobile device through its camera, i.e. solely via the visual channel. The proposed approach consists of an initial user authentication phase, which is followed by a transaction verification phase. The transaction verification phase provides a mechanism whereby important transactions have to be verified by both the user and the server. We describe the adversarial model to capture the possible attacks to the system. In addition, this paper analyzes the security of the propose scheme, and discusses the practical issues and mechanisms by which the scheme is able to circumvent a variety of security threats including password stealing, man-in-the-middle and man-in-the-browser attacks. We note that our technique is applicable to many practical applications ranging from standard user authentication implementations to protecting online banking transactions.
Original languageEnglish
Title of host publicationSecurity, Privacy, andAnonymity inComputation, Communication, and Storage - 9th International Conference, SpaCCS 2016, Proceedings
PublisherSpringer Verlag
Number of pages15
ISBN (Print)9783319491479
Publication statusPublished - 1 Jan 2016
Event9th International Conference on Security, Privacy, and Anonymity in Computation, Communication and Storage, SpaCCS 2016 - Zhangjiajie, China
Duration: 16 Nov 201618 Nov 2016

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume10066 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference9th International Conference on Security, Privacy, and Anonymity in Computation, Communication and Storage, SpaCCS 2016


  • Authentication
  • Mobile device
  • One-Time-Password (OTP)
  • QR code
  • Transaction integrity
  • Transaction verification
  • Transaction-Authentication-Number (TAN)

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this