← Back to articles

How QR Code Login Works — and Why It Can Be Hijacked

July 14, 2026

How QR code login actually works

Scan-to-sign-in skips the password box. The screen you're logging into — a laptop, a smart TV, a kiosk — shows a QR code that encodes a one-time session token, not a username or password. Your phone, already signed into your account, scans the code and confirms "approve this session." The site marks that session as yours, and you're in.

Google popularized this pattern in 2012, and it's now standard for WhatsApp Web and Desktop, several streaming services, and "scan to continue on desktop" flows in AI chat tools. A plain QR code only carries one thing capable of doing anything on its own: a URL. It doesn't execute code by itself — but that URL is exactly what an attacker targets.

Where QR login shows up

You'll run into scan-to-sign-in most often when pairing a phone with a bigger screen: WhatsApp Web, casting a session to a streaming device, linking a desktop browser to an AI assistant you already use on mobile. It's popular for a simple reason — it sidesteps typing a long password on a TV remote, and it sidesteps the weak, reused password someone picks out of frustration with that same remote.

That convenience is worth pausing on. Whether a given code is actually safe to scan deserves the same beat of hesitation you'd give an unfamiliar page asking for your credentials.

Why QR login can be hijacked

QR login isn't broken by weak cryptography. It's exploited by misplaced trust in whichever screen happens to be showing the code. Get someone to scan a code you control — swapped onto a real device, or dropped into an email — and that code can point to a login page built to capture their session token instead of approving the real one.

Here's what makes it work so well: QR codes slip past a lot of standard phishing defenses. The malicious link sits inside an image, not text, so link-scanning tools and secure email gateways have nothing to parse. The whole interaction quietly moves from a monitored desktop onto an unmanaged phone.

This isn't hypothetical. The FBI has warned that state-linked groups like Kimsuky have used QR codes in spear-phishing campaigns against U.S. organizations, and quishing volume has been climbing fast as more attackers lean on it.

Context does most of the work in telling a real prompt from a hijack attempt. The NCSC frames the risk as situational: a code you generate yourself, on a login screen you already trust, is a very different situation from one that shows up out of nowhere in a text or an email.

Tips, gotchas, and staying safer with QRDock

A few habits cover most of the risk:

QRDock's scanner previews the destination URL and flags suspicious links before you land on the page — a useful second look before you commit, though it's a best-effort check, not a substitute for the habits above. Scan and check a link with QRDock before you open it.

Frequently Asked Questions

Is QR code login less secure than typing a password?

Not inherently. It removes the risk of a keylogger capturing a typed password, and it skips weak or reused passwords entirely. The risk shifts instead to whichever screen displays the code: if that page or email is spoofed, scanning approves a session for the attacker instead of you.

Can someone hijack my session just by showing me a QR code?

Only if you scan a code you didn't generate yourself and then approve it — one embedded in a phishing email, say, or planted over a legitimate code. A QR code you generated on your own trusted login screen, and scan with your own phone, isn't something an attacker can silently intercept.

How do I know a QR login prompt is legitimate?

Generate the code yourself from the real site or app rather than scanning one sent to you. Check that the destination URL your scanner previews matches the service you expect. Treat any QR code arriving unexpectedly by email or text as suspicious until you verify it another way.

What should I do if I scanned a QR code and I'm not sure what it did?

Check what page it opened and whether you entered any login details there. If you did, change that account's password right away and turn on two-factor authentication or a passkey if the service offers one.

The takeaway

QR code login trades typing for trust in the screen showing the code — and that trust is exactly what a hijack attempt targets. Generate your own codes, check the destination before you commit, and use a scanner that previews the URL first. That's most of the difference between scan-to-sign-in working for you and working against you.