Companionate: sharing logins with QR codes

23 Jan 2017

Web 

Originally posted at https://tech.labs.oliverwyman.com/blog/2017/01/23/companionate-sharing-logins-with-qr-codes/

I’ve run into a problem a few times recently, which is that having done all the right things with passwords i.e. using a password manager and having them be unique strings of basically random garbage, I now need to enter them in somewhere I haven’t got my password manager running on. I’m typically sitting in a meeting room wanting to demo something on the shared computer, and I’ve got my phone which is authenticated to the password manager. Currently, this takes an extended period of time of manually copying over the login while my internal monologue is wondering why I set this password, what the heck is that symbol, and why don’t I just change it to something simpler I can type more easily next time?

Companionate is intended to bridge that gap. It’s a Single Page App (using hand-crafted navigation as quite frankly it was easier) that lets you enter the login on your phone (or other portable device), have it display a QR code with the information in, and then load the same website on the shared machine and have it read in the QR-encoded login.

So, is this even slightly secure? Somewhat, not drastically. So, the Javascript as written (and feel free to check this yourself) doesn’t share any of the info you’ve input with any other machines. There might be for example a backdoor in the QR code scanning library, or just simply an issue with the Javascript engine that makes it leak information. A more likely scenario is that the machine you were logging into has been compromised in some way, but that’s up to you to confirm, and if you were intending on logging onto a service on that machine, you should generally be reasonably certain it’s not been taken over, which has nothing to do with this software!

On the other hand

• This encourages the continued use of strong passwords
• Copying the password direct to the clipboard avoids the problem of colleagues accidentally finding out your password while you’re copying it over (less of a problem if it’s just random noise, but useful if it’s still a weak one)
• The QR code data isn’t encrypted in any way, but should be reasonably secure from random glances in a room v.s. actual text

If you’re feeling paranoid, feel free to run your own copy (if you’re really paranoid, what are you doing copying passwords onto a machine you haven’t audited down to the silicon yourself!), but I feel it’s a reasonable point at the security/usability trade-off. There are other things that could be done to make it better e.g. make the QR-codes one-time logins or integrate into a password manager, but that would require further backend integration, whereas this works with all services out of the box.

Previously: Cross-grading for fun and profit Next: BoardGameGeek graph