Ognjen Regoje bio photo

Ognjen Regoje
But you can call me Oggy


I make things that run on the web (mostly).
More ABOUT me and my PROJECTS.

me@ognjen.io LinkedIn

QR codes suck for document verification

#privacy #public #qr

QR codes sprouted everywhere during the pandemic. Because of their prevalence, they were adopted for document verification as well. But I’m frustrated by how bad all these implementations are.

Most have problems that make them ineffective

Over some 20 documents issued by as many different agencies in ~10 different countries, I’ve 1) never had a document QR code scanned and 2) seen only two codes that I’d consider safe.

Systems for verifying documents were a hodgepodge of home-grown solutions made ineffective by a wide range of mistakes. For instance:

  • A popup that just said the document is valid.

    It contains a URL. When you open it, an alert pops up that says “Document valid.”

  • A page that only says the document belongs to me

    Another service used an alert too, but it contained just the text “Document was issued to ".

  • A page that could be enumerated

    Several services had IDs that you could access in sequence

  • A page that had incomplete information

    Several services were missing information from the paper. Some didn’t have all the information making it less effective, while others didn’t include all the information needed to tie the document or person to the webpage.

  • Just the string with the contact information of the institution that issued it

    Just NAME OF HOSPITAL, LOCAL PHONE NUMBER. It didn’t even have the international country code.

  • Just a pipe-delimited text of the document

    Something like <FIRST NAME> <LAST NAME>|NEGATIVE|20.10.2020

The best services were ones that had a complete https link to a website that contained a full copy of the document. But, it was still not reasonably possible for a non-technical user to authenticate the website.

The document services suffered from similar issues as the amateurish vaccine certificates.

Why are they suddenly stamp replacements?

A stamp still has value. For instance, when you legalize a document, it has a reference number, the institution’s name, and the name of a person who did it. Its presence does indicate at least some level of authenticity.

You also have a clear path to authenticate it. You find out about the institution and its contact information. Then you call and ask for the person by name and ask them for the document with the reference number. People can do this.

Is it ironclad? Certainly not. But it is much better than a QR code.

The presence of the QR code says nothing about the authenticity of a document. The value of a QR code is in scanning it. Then, the data on the paper and the website must match. Furthermore, it must be confirmed that the URL opened by the QR code is legitimate as well.

A couple of government organizations required documents to either have a QR code or be legalized by their embassy. My document had a QR code, but they never scanned it. The official just stared intently at it for a few minutes. I could have just printed a random QR code on top.

There is also no clear way to follow through with authenticating it. You scan the QR code then a page pops up. Then what? Check if the domain is on a white-list? Verify the SSL cert? Check the domain WHOIS? People cannot do this.

And it is nearly impossible to verify a document without internet access.

It might be because QR codes seem complex

I guess most people aren’t familiar with the technical implementation of QR codes. Therefore, they might think that it is difficult to generate a QR code for a document that a phone can recognize, know that it must open a website, and then that website must have the same information in a similar-looking format. I can understand how this might seem complicated.

So I guess because it seems complex to create one, it seems secure.

But they are very simple

As tech-savvy people know, QR codes are just machine-readable graphics that contain text. They’re only slightly more complicated than barcodes. There are hundreds of ways to generate them. You only need to Google “qr code generator”.

And in the age of Wordpress and Wix, a website is maybe only slightly more complicated.

If you put the two together, you have a system to verify documents. And both are well within reach of a computer-savvy primary school student.

It is so simple, in fact, that I made my own backend in 14 minutes. Here is a document legitimized using a QR code:

Sample document legitimized using a QR code

And here is the web page that the QR code shows:

Page confirming the legitimacy of sample document

I’ve deliberately not put much effort into the appearance, I added the giant SAMPLE watermark and made the example silly because because I’m certain that you could fool people with this.

Just change the logo to a medical institution, put some garbage legalese in the header and footer, and some legitimate-looking fields in the table. You could create a document that looks more legitimate than most.

And the backend is just a URL that follows the format: ognjen.io/qr#LOGO_URL|TITLE|HEADER|FOOTER|ATTR|DATA

I even had time to add the ability to repeat the ATTR|DATA portion adding rows to the table.

And this is what makes them dangerous

They give the illusion of legitimacy but are nearly trivial to fake

I firmly believe it is easier to generate a legitimate-looking QR code than fake a stamp. As demonstrated above, I could make a believable (albeit silly) example very quickly. I wouldn’t even know where to start making a fake stamp. Get a block of wood?

But besides that, because no one ever scans the codes, you don’t even have to spend 14 minutes to make a fake backend.

Just print a random QR code on your existing document

Create a new Word or Google Docs document. Get an image of any QR code. Place it somewhere on the page so that when you print it, it is nicely positioned on your existing document. Done!

Legitimate ✅

What is the correct way to do it?

At the moment, I can recall only two systems that correctly implemented QR codes. But none related to verifying a document.

The EU Green Pass is the first. It is well done.

The second is a government agency using a QR code for their custom system. It contained only an alphanumeric ID, and they used it just for quick retrieval with a scanner built-in to their system.

While these solutions are not for document verifications, they demonstrate how a solution for documents should work.

The only way to do this properly that I can think of is to create a central database.

Organizations would sign up, get verified then could upload documents.

The service would have a reader companion app that must be used to authenticate a document.

Besides the QR code, documents should also print the identifier. That way, a user could call the service provider and verify a document without an internet connection.

What to do about this?

I guess criminals will keep exploiting this to the point where it’s taken seriously.

And it’s up to the free market to try making a profit by fixing it.