Do you mean that someone could copy and use the same QR again?
A person intercepting traffic or spoofing a site can copy/tamper/replace the QR code just as they can plain text or binary blobs. QR is just a presentation structure that makes it easier for a camera to translate something into data. For this to be useful there would have to be a boot-strapped chain of custody and chain of trust already installed on the device scanning the QR code meaning you know where that trust came from and you can verify it against a trusted source. If this is not what you meant then where is the end user getting the certs used in this QR code from? Are you embedding the certs in the application? How do people know the application has not been copied/tampered with?
>intercepting traffic or spoofing a site can copy/tamper/replace the QR code
Will this be a problem with HTTPS?
When you open a page, a request will be made to my server to generate a unique login attempt, the id of this unique login attempt will be shown in the QR code.
When you scan it and enter your phone's pin, my authenticator generates a signature of the login attempt id, your username on that website and the current time. My server verifies the signature and logs you in if everything is ok.
Have you logged in to the Discord/Reddit/Whatsapp websites by scanning the QR code shown there from their mobile app? My concept is the same but using my authenticator app, websites which do not have a native app can also offer a QR code login.
I've seen people use QR with those sites and it doesn't make sense to me. So using a bank as example, I barely trust them to get this right. Now I am inserting your company into the chain of trust? Why am I trusting one more party to get all of this right? Or is this a solution you are selling to each vendor and they are implementing your service on prem? Is your service going to be audited by independent third parties that vendors choose? How do people verify that your application is the legitimate version? How does the bank know if someone has tampered with your application? Why is my bank trusting your application?
A person intercepting traffic or spoofing a site can copy/tamper/replace the QR code just as they can plain text or binary blobs. QR is just a presentation structure that makes it easier for a camera to translate something into data. For this to be useful there would have to be a boot-strapped chain of custody and chain of trust already installed on the device scanning the QR code meaning you know where that trust came from and you can verify it against a trusted source. If this is not what you meant then where is the end user getting the certs used in this QR code from? Are you embedding the certs in the application? How do people know the application has not been copied/tampered with?