Skip to content

How to Safely Use QR Codes to Access Teaching Applications

December 5, 2018

Michael Knight, President and CTO

The allure of using simple, easy authentication methods to access learning resources is rooted in convenience and time savings, especially for students and teachers. The culmination of these ideals is the QR code, or scannable “badge”.

Signing in to an application or platform with this type of badging mechanism is a lot easier than remembering complex usernames and passwords, especially for younger students. However, it must be done securely. Unfortunately, many QR code-based access systems enable authentication via actual user credentials or weak tokening methods, which can be easily breached or compromised.

The key to avoiding unintended consequences from insecure QR code methods is the use of tokenization and encryption with an integrity key to create a “gap” between the users’ actual credentials and the assigned QR codes. This is the very system we use here at Enboard.

We not only leverage the best of breed encryption methods with integrity keys that align with the latest NIST Cybersecurity Framework, but we also automate the provisioning of badges to ensure only the users who need QR codes are provisioned and enabled.

While QR codes alone can be entirely appropriate for younger students that do not have access to applications with personally identifiable information (PII), we strongly recommend additional security measures for staff, older students, and anyone who accesses high-risk applications such as HR, payroll, or SIS. In these cases, we suggest native delivery within Enboard, using several methods of multi-factor and multi-step authentication. This enables the district to provide the appropriate level of security and ease of use at the appropriate user level.

For students or applications that have no or only a minimal amount of sensitive data, using multi-step authentication can be a compelling choice. Instead of the user managing long, complex passwords, they can simply remember a two or more digit PIN code, which they’ll be prompted to enter after successfully scanning their QR code. It’s very easy and secure. Most importantly, they don’t have to remember a complex password or even their username.

For staff or anyone who uses applications that contain more sensitive information, it is highly recommended to use multi-factor authentication in combination with QR code authentication. This integration enables the individual to receive a randomly generated code in an SMS message, personal email, or application on their mobile device. The code has an expiration timeframe and system administrators can limit them to one-time use.

At Enboard, securing and providing complete control over school districts’ data, as well as empowering the district to audit, maintain, and validate their orchestration platforms is paramount.

For more information on how to securely deliver convenient access to digital applications, feel free to reach out to us at enboardinfo@encoretg.com.