Understanding QR Code Login: Principles, Token Authentication, and Implementation Steps

QR codes are ubiquitous in daily life, appearing in scenarios such as supermarket payments, system logins, and app downloads. Understanding their underlying technology helps developers choose appropriate solutions and enables non‑technical users to recognize and avoid malicious QR codes.

QR Code Login Essence

QR code login is essentially a login authentication method that must accomplish two tasks: informing the system who the user is and proving the user's identity.

Tell the system who I am

Prove to the system who I am

In practice, the mobile app, already logged in, scans a QR code displayed on the PC, confirms the login, and the same account is logged in on the PC.

Understanding QR Codes

QR codes store strings (not limited to numbers) and can be generated or decoded via online tools. They are an extension of one‑dimensional barcodes.

System Authentication Mechanism

After an initial password login, the client receives a token that binds the account ID, device ID, and device type. The token is stored locally and sent with each API request, allowing the server to verify the device without storing the password.

const token = {
  acountid: '账号ID',
  deviceid: '登录的设备ID',
  deviceType: '设备类型，如 iso,android,pc......',
}

The server generates a token that maps to this data structure, enabling secure, password‑less authentication.

General Steps of QR Code Login

Overview

Before scanning, the PC displays a QR code while the mobile app is already logged in.

The mobile app scans the QR code and prompts the user to confirm.

Upon confirmation, the PC logs in successfully.

QR Code Preparation

The PC requests a QR code ID from the server, which binds the ID to the PC's device information and returns it. The PC then generates a QR code containing this ID and continuously polls the server for status updates.

Scanning Phase

The mobile app scans the QR code, extracts the QR code ID, and sends the mobile identity together with the ID to the server.

The server binds the identity to the QR code ID, generates a temporary token, and returns it to the mobile app.

The PC, polling the server, sees the QR code status change to "scanned".

Confirmation Phase

The mobile app shows a confirmation dialog; after the user confirms, it sends the temporary token to the server.

The server creates a login token for the PC based on the bound account and device information.

The PC receives the token via its polling request and completes the login.

Summary

QR code login works by combining QR code generation, token‑based authentication, and state transitions (waiting, scanned, confirmed) to securely convey the user's identity from a trusted mobile device to a PC without exposing passwords.