Login via QR Code

[akowi-sknobloch]

Describe your question/
We are currently evaluating authentik for handling the authentification for our different internal apps.
Our primary focus lies on developing apps to automate, track and aid with the different processes in our factory.
The workers log in at different stations specialized for a logistics, production or shipping tasks.

We are using Zebra WS50 as an all in one scanner & display solution.
As the WS50 only has a 2 inch display, showing a complete login form is not really great for auth.
Now the idea would be, that the worker could authenticate on a terminal with a larger display.
The terminal could then display a QR Code containing a short lived token.
The WS50 could scan the code and authenticate using the containing token.

This would kinda work like the QR Code Auth in WhatsApp Web, Steam or Discord but in reverse.
Would something like this be possible using authentik?
If so how would some configure such a flow?

[it-global-architect]

Hi, yes this should be possible with the passwordless option but unfortunately it is not working for me right now. You can check the bug I opened and got no answer until now #9513

There is also a video tutorial that explains how to do: https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://www.youtube.com/watch%3Fv%3DaEpT2fYGwLw&ved=2ahUKEwjWwu3lj4GGAxUTk1YBHaH0BE8QwqsBegQIDxAG&usg=AOvVaw1z7CtFPqozw-sBGqMfLxvl

Please let me know if you can find out how to make it work as I really would like to have it as well.

Thanks

[akowi-sknobloch]

The Tutorial is not what I try to achieve.
He is using his Phone as a Security Key to Log in to his Computer.
I want it the other way around.
The Users should authenticate on a normal Computer.
The Computer should then show a QR Code wich the User could scan to Authenticate on a different Device like a Smartphone or in our case a Zebra WS50 Scanner.

[it-global-architect]

I can't imagine it working in the way you described but you have other options that may perform something similar to what you need.
Maybe you don't really need a computer, you could have a printed qr-code in a paper or anywhere. Scan it with your device, select your passkey (on your device) and you are in! Of course the qr-code could be in a computer screen but not really necessary in this situation.

If you explain better why you want this flow maybe we can help you more. Is it to avoid the slow user/password entry in a small screen? The step above does not need it.

Is the step above lacking of security? why not merging it with a mobile phone scan?
device scan qr-code tag > device choose passwordless login and present a qr-code > Mobile phone (or maybe a computer with camera) scan that qr-code > device is logged in. Not a single letter typed on the device......

[akowi-sknobloch]

Primary reason for not having a "normal" auth flow with the workers entering a email and a password is the small screen size of the Zebra WS50.
Here is a picture of one for reference:

The targeted Users are our Production workers.
Most of them aren't very tech savvy so we need a way for them to quickly authenticate on such a small device.
The different devices aren't fixed to users everyday someone else could work on a station.

Currently we have implemented a basic authentification into each of our tools.
By auto suggesting the users email and using very short passwords they can authenticate fast.
This also works on the WS50 but its a bit cumbersome and not really secure.
Furthermore i believe this email auto complete/suggestion does not work with authentik.

I would be open to other approaches for authenticating on such a small device.
Using a dedicated Login Terminal wich wich displays the Login QR code for the individual user was just my first idea.

In the workflow i imagined, every production worker would receive a SmartCard.
They would authenticate using their card on one of the Login Terminals.
Then they would scan the Login QR Code using the WS50 and are authenticated on the WS50.

Maybe i will have to implement this flow using authentik's REST API.
So that I create a dedicated Login Terminal app wich handles the authentik Auth.
The App then could request a Token from authentik and embed it in a QR Code.
Then the App on the WS50 could scan the Code extract the Token and authenticate the user over authentik's REST API.
I guess this should be possible using Machine-to-machine authentication described here: https://docs.goauthentik.io/docs/providers/oauth2/client_credentials

[it-global-architect]

I understood you points, and your desire to use the already scanner capable equipment to scan something (a login PC or something like this) to login, but as far as I know the standard is opposite. The already logged in device scan the other.
Anyway, you have a simple and easy solution using passwordless:
1: open a link on your device, it will show a qr code without any user input.
2: Employee mobile phone scans the qr code and log in. Both android and iOS are passkey capable without any extra app.
*Don't want/can't use employee mobile phone? Another possibility is a USB key or NFC key depending of your device capabilities

Think that to make the user identification safe and simple as one click you need to give the employees something that will unique identify them like a USB key or a mobile phone.

Besides this you will have to implement something less usual and take a risk. Remember that unusual things that are considered niche can take longer time to get devs attention when something break in a new version or in a technology change, unless you are paying a lot.

[akowi-sknobloch]

We don't want the employees to use their private phones.
Giving every employee a mobile phone was also a consideration we already had.
The WS50 does have NFC capabilities and we already considered using that for authentication.

I think I have enough ideas now to create a example Project to test different auth approaches.
Thanks very much @it-global-architect for your input!