Direct Code Authentication

A streamlined, secure method for authentication without requiring QR code scanning or SMS delivery.

Direct Code Authentication provides a simplified yet equally secure alternative to QR-based authentication. It maintains the core security principles of hardware-binding and zero credential storage while offering superior resistance to phishing and credential theft.

This approach is ideal for scenarios where camera access is limited, QR scanning is impractical, or a more familiar entry method is preferred. Users simply enter a short, friendly alphanumeric code displayed on the website into their QuantumPass app to initiate the secure authentication process.

Design Principles

Direct Code Authentication maintains hardware-bound security, phishing resistance, and zero credential storage while providing a simplified user flow that works on any device that can display and accept text input.

Same Security Foundation

Like all QuantumPass authentication methods, Direct Code Authentication relies on hardware security modules, with cryptographic operations performed within the device's TEE or Secure Enclave, ensuring keys never leave secure hardware.

QuantumPass
Enter Code
QP-723|
Verify
Enhanced Phishing Protection

Even if a user enters a legitimate code while on a phishing site, authentication will always occur with the correct domain, and the user will be alerted about the domain mismatch.

How Direct Code Authentication Works

Understanding the technical implementation and security model

1. User Initiation

User clicks "Log In" on the Service Provider's website.

2. Code Generation

Server generates a unique, short-lived code (QP-XXX-XXX) linked to the session.

3. App Entry & Resolution

User enters code in App. App resolves the code to identify the Service Provider domain.

4. Local Verification

User confirms domain and authenticates via Biometrics (FaceID/TouchID).

5. Cryptographic Handshake

Device signs the challenge in Secure Enclave. Server verifies signature and establishes session.

Phishing Resistance

Unlike traditional systems where phishing can capture reusable credentials, Direct Code Authentication is inherently resistant to phishing attacks:

  • Domain Verification - The app shows the actual domain the code was generated for
  • Device Binding - Authentication is bound to the user's physical device
  • No Credential Capture - There are no reusable credentials for attackers to steal
  • One-time Codes - Each code expires after a single use or timeout

Technical Implementation

Direct Code Authentication implements several technical safeguards:

  • Secure Code Format - Codes use the format QP-XXX-XXX with carefully selected character sets
  • Short-lived Codes - Codes expire after 3 minutes
  • Challenge-Based - Each code contains a unique cryptographic challenge
  • Hardware Security - All cryptographic operations take place in secure hardware
  • Domain-specific IDs - Prevents cross-site tracking while maintaining security

Security Architecture

Direct Code Authentication leverages QuantumPass's core security foundation

Implementation Standards

  • Biometric Authentication

    FaceID, TouchID or equivalent with anti-spoofing

  • Hardware Security

    TEE/Secure Enclave with key attestation

  • Cryptographic Signing

    ECDSA with P-256 curve

  • Time-Limited Codes

    3-minute expiration with anti-replay protection

  • Domain Isolation

    Domain-specific identifiers with privacy protection

  • Attack Mitigation

    Rate limiting and progressive delays

Step 3: User enters code in QuantumPass app

The QuantumPass app has a dedicated code entry screen where users can:

  • Enter the code displayed on the website
  • Have their biometrics verified
  • Device security verified via TEE/Secure Enclave

Authentication Code

QP-ABC-123
QuantumPass
Enter Authentication Code

Enter the code displayed on the website to authenticate securely without passwords.

Direct codes are one-time use and expire after 3 minutes for security.

// Generate direct authentication code
async function generateDirectAuthCode(authRequest) {
  // Generate a unique 6-8 character alphanumeric code with hyphens for readability
  // Format: QP-XXX-XXX where X is alphanumeric
  const codePrefix = 'QP';
  const codePartOne = generateRandomAlphanumeric(3);
  const codePartTwo = generateRandomAlphanumeric(3);
  const directCode = `${codePrefix}-${codePartOne}-${codePartTwo}`;
  
  // Create a unique ID for this authentication request
  const requestId = crypto.randomUUID();
  
  // Store the mapping between the code and the authentication request
  // This expires after a short time (e.g., 3 minutes)
  await database.storeDirectCodeMapping({
    directCode: directCode,
    requestId: requestId,
    domain: authRequest.domain,
    challenge: authRequest.challenge,
    createdAt: Date.now(),
    expiresAt: Date.now() + (3 * 60 * 1000), // 3 minutes
    used: false
  });
  
  // Return the code for display
  return {
    directCode: directCode,
    requestId: requestId
  };
}

Benefits of Direct Code Authentication

A streamlined solution that maintains QuantumPass's security guarantees

Universal Accessibility

Works on any device that can display and accept text input, even when camera access is unavailable or limited.

Ideal for devices without cameras or in environments where scanning QR codes is impractical.

Hardware-Bound Security

Maintains the same hardware security guarantees as QR-based authentication with biometric verification and secure hardware operations.

All private keys and cryptographic operations remain within the TEE/Secure Enclave.

Simplified User Experience

Easy-to-understand interface with minimal steps, while maintaining the zero-credential security model.

Familiar entry pattern that users can easily understand without compromising security.

Phishing Resistance

Inherently resistant to credential phishing with domain verification and hardware-bound authentication.

Even if a user enters a legitimate code on a phishing site, the attacker gains no usable credentials.

Easy Integration

Simple implementation for developers with the same SDK and API endpoints as other QuantumPass authentication methods.

Integrates with existing QuantumPass infrastructure and can be used alongside QR-based methods.

Part of QuantumPass Core

Fully integrated with the QuantumPass ecosystem, supporting multi-device management and account recovery systems.

Works seamlessly with other QuantumPass features and security infrastructure.

Developer Resources

Implementation guides and code samples for integrating Direct Code Authentication

JavaScript SDK Implementation
1. Include the QuantumPass SDK
<script src="https://sdk.quantumpass.com/v2/quantumpass.min.js" integrity="sha384-H7V+013jJg6JMmFn+F8OrKw1jCfDZ7SP4MDM4" crossorigin="anonymous"></script>
2. Initialize the Direct Code Auth
<!-- Your login interface HTML -->
<div id="qp-direct-code-container"></div>

// Initialize QuantumPass Direct Code Authentication
const directCodeAuth = new QuantumPass.DirectCodeAuth({
  container: '#qp-direct-code-container',
  appId: 'YOUR_APP_ID',
  origin: window.location.origin,
  onSuccess: function(session) {
    // Handle successful authentication
    console.log('Authenticated!', session);
    // Redirect or update UI as needed
    window.location.href = '/dashboard';
  },
  onError: function(error) {
    // Handle errors
    console.error('Authentication failed:', error);
  },
  customization: {
    theme: 'light',
    accentColor: '#4361ee',
    codeFormat: 'QP-XXX-XXX'
  }
});
REST API Integration
1. Generate Authentication Code
POST /api/v2/auth/direct-code/generate
Content-Type: application/json
X-QP-API-Key: YOUR_API_KEY

{
  "app_id": "YOUR_APP_ID",
  "origin": "https://yourwebsite.com",
  "session_data": {
    "request_id": "unique-request-id",
    "timestamp": 1620000000000
  },
  "code_format": "QP-XXX-XXX",
  "expiration": 180
}
Mobile SDK Integration (Code Entry)
iOS Implementation (Swift)
// Add code entry capability to your app
import QuantumPassSDK

class DirectCodeEntryViewController: UIViewController {
    
    let codeEntryField = QPDirectCodeEntryField()
    let verifyButton = UIButton()
    
    override func viewDidLoad() {
        super.viewDidLoad()
        
        // Configure code entry with validation
        codeEntryField.configure(format: "QP-###-###")
        
        // Handle verify button tap
        verifyButton.addTarget(self, action: #selector(verifyCode), for: .touchUpInside)
    }
}