QR Code
QR Codes within RapidIdentity are best for contingent users (e.g. interns, contractors) and other low-risk users (e.g. guests, young students) relative to the global organizational user population.
RapidIdentity QR Codes can serve two purposes: an Authentication Policy Criterium or an Authentication Policy Method.
Whether the QR Code should apply as a criterium or method depends on the specific Authentication Policy use case requirements relative to the overall organizational security and business policy.
It is beyond the scope of the RapidIdentity Product Guides to address all possible Authentication Policy use cases with their requirements through the lens of security and business policy. The exploration and possible solution approaches to these use cases and their requirements occur during various stages in the context of how Identity Automation Professionals engage the Customer.
Therefore, this page describes QR Code Configuration and key concepts to consider regarding Authentication Policy QR Code integration.
Decision Process
To determine how a QR Code applies to an Authentication Policy, follow these steps:
Does the use case require a QR Code?
No: Choose different Authentication Methods, Criteria, or both.
Yes: Proceed to Question #2.
Does the use case require the QR Code as a first step in the authentication process?
No: Use QR Code as an Authentication Method.
If more than one Authentication Method is in the Authentication Policy, prioritize the Methods using the up and down arrows.
Yes: Use QR Code as an Authentication Criterion.
Does the use case require the QR Code as a substitute for the username only?
No: Secure QR Code (replaces username and password).
If the use case is username and password only, no other criteria or methods are necessary. Otherwise, configure additional Authentication Methods, Criteria, or both.
Do not enable Insecure QR Code ID Scans.
Generate Secure QR Code in RapidIdentity Portal.
Yes: Insecure QR Code.
The best practice is to configure additional authentication methods (e.g. PingMe) or criteria (e.g. LDAP filter) to increase security.
Enable Insecure QR Code ID Scans.
Generate Insecure QR Code in RapidIdentity Portal.
Configuration
QR Code configuration requires administrative access to both RapidIdentity Appliance and RapidIdentity Portal.
RapidIdentity Appliance sets the Authentication Policy configuration, and RapidIdentity Portal determines the QR Code security and generation (i.e. printing) availability.
A single user that is not a member of both the System Admin and Portal Profiles Admin RapidIdentity Appliance Roles cannot define and configure Authentication Policies using QR Codes or configure QR Code generation accessibility.
The RapidIdentity Portal Profiles Delegation Definition Manager configuration determines QR Code generation. Caution is important to ensure the appropriate user population can print QR Codes to minimize risk.
Criterion
RapidIdentity Authentication Policy Criteria determine when the Authentication Policy is active for a given user.
If the Authentication Policy use case parameters include requiring users as a first step to use a QR Code to authenticate, then the QR Code should be enabled as an Authentication Policy Criterium.
 |
If the Authentication Policy use case parameters do not require users as a first step to use a QR Code to authenticate and the Authentication Policy use case parameters require a QR code to authenticate, then the QR Code is best integrated as an Authentication Policy Method.
Method
QR Code is one of nine possible RapidIdentity Authentication Policy Methods.
 |
If the Authentication Policy use case requires more than one authentication method, then the authentication policy methods must be prioritized using the up and down arrows.
After Authentication Policy configuration, the QR Code generation configuration can occur through the RapidIdentity Portal Delegation Definition Manager.
Advisory
The screenshots above illustrate active authentication policies to facilitate readability.
It is best not to make the QR Code Authentication Policy active until the completion of the Delegation Definition Manager configuration and user QR Code printing. Otherwise, users matching the active Authentication Policy requiring a QR Code will be forced to scan a QR Code they do not possess and will not be able to authenticate successfully.
Security
RapidIdentity Authentication Policies can support two different QR Codes: Insecure and Secure.
Insecure
An Insecure QR Code applies if the use case requirements state that a QR Code is a username substitute only. Consequently, Insecure QR Codes can never expire.
 |
It is necessary to ensure that the Insecure QR ID Scans Enabled checkbox is checked and that the resultant QR Codes are printed as Insecure QR Codes to make this Authentication Policy successful.
An Insecure QR Code is not bound to a user's password or any other authentication method.
Caution
Since an Insecure QR Code replaces the user's username only, the Authentication Policy should require at least one additional Authentication Method or Criterium.
Insecure QR Code generation occurs through a RapidIdentity Portal Profiles Action button, which is made accessible in the RapidIdentity Portal Delegation Definition Manager.
 |
Advisory
It is advisable to expose this Action button to users who can verify the Authentication Policy or those users trained to ensure proper QR Code generation.
In the screenshot above, the QR Code button is made accessible in the Other Profiles delegation, and this delegation is accessible to RapidIdentity Portal Profiles Help Desk users only.
This Action button generates a pop up to allow users to generate QR Codes.
 |
Secure
A Secure QR Code applies if the Authentication Policy use case requirements state that the QR Code is a replacement for the user's username and password.
How the Secure QR Code Works
In the unlikely event involving the decryption of a RapidIdentity QR Code, the only meaningful information obtainable is the user's idautoID , which is an alpha-numeric, case-sensitive string stored as a directory service attribute. This attribute should be set once and never changed, and the idAutoID should not serve as the username during the authentication process. If the idautoID remains static and unique to all organization users (i.e. programmatic objects) forever, usernames can be changed or reused in accord with organization policy.
The Secure QR Code contains a string that is encrypted with the user's password. The verification process attempts to decrypt the string with the user's current password. The verification is successful if and only if the user's current password matches the password used during the QR Code generation. If the verification is not successful, then the user cannot authenticate.
RapidIdentity can neither decrypt the encrypted string if the passwords do not match nor apply a mechanism to obtain the password used to generate the QR Code.
Thus, any change or update to a user's password invalidates (i.e. expires) the existing Secure QR Code and the Secure QR Code generation process must restart.
An Authentication Policy use case with this requirement should ensure that the policy is enabled and the Insecure QR ID Scans Enabled checkbox is not checked.
 |
Advisory
If the Authentication Policy use case requirements state that users matching this Authentication Policy only require a username and password, no additional authentication policy configuration in RapidIdentity Appliance is necessary.
If the Authentication Policy use case requirements state that users matching this Authentication policy require additional authentication criteria or methods, this configuration must occur accordingly.
Since this Authentication Policy does allow Insecure QR Codes, the QR Codes printed within RapidIdentity Portal Profiles delegations must be Secure QR Codes.
 |
QR Code Authentication
QR Code authentication requires a supported browser and platform.
For the example shown below, the authentication policy requires either a username or QR Code first, and then a password.
 |
Selecting QR Code directs users to a screen to allow QR Code scanning with the user's laptop camera; the camera window in the screenshot below is black because of the laptop orientation. It is necessary to allow the browser to activate the webcam to scan the QR Code.
 |
Once the QR Code is scanned successfully the user is redirected to a page to enter their password.
 |
Entering the correct password directs the user to the default landing module.
Moving Forward
Help is always available in the crafting of Authentication Policies, especially in the context of proper QR Code Integration by contacting Identity Automation Support