A Novel Two-Factor Authentication Scheme Based on QR Code Prompt

Abstract

Ensuring online safety and security is critical as personal data grow increasingly valuable, necessitating robust authentication to protect users from potential threats. The use of current authentication mechanisms often fails to balance user convenience, cost effectiveness, and robustness. This paper addresses these challenges with a two-factor authentication scheme that leverages QR codes embedded with an encoded prompt in the form of a question-and-answer pair. The primary objective is to enhance security by verifying human presence through user interaction with geometrical patterns displayed on the QR code. Upon scanning the QR code, the user accesses a question and references the geometrical patterns shown on the QR code to answer, verifying human presence and mitigating risks of unauthorized access. The shape patterns on QR codes are tested for user perceptions regarding shape clarity, visual esthetics, and QR code scannability. Experiments demonstrate that shape width, size, and position outlines are interrelated with QR code versions or module sizes. For small versions (v1–5) achieved 92% user satisfaction and 89% scan success with centrally placed shapes and 3–5 $\mathrm{p}x$ outlines, while larger versions (v10–15) attained 94% visual clarity and 96% scan success using randomly distributed shapes with 1–2 $\mathrm{p}\mathrm{x}$ outlines, resulting in a 40% reduction in authentication time compared to SMS-based OTP. This authentication QR code design is competitive in terms of construction cost and efficiency compared with other multi-factor authentication mechanisms for user verification.

1. Introduction

The rapid advancement of modern technologies has significantly transformed human lifestyles in countless ways. These innovations have proven invaluable in various aspects of daily life, such as using the internet and mobile phones for seamless communication, employing advanced computer programs to tackle complex problems, offering cutting-edge medical treatments for diverse health conditions, and simplifying financial transactions for individuals and businesses. However, alongside these benefits, technological progress also brings new challenges and complexities that require innovative and timely solutions. In today’s digital age, personal information is increasingly vulnerable to external threats. Cybercriminals, such as man-in-the-middle attackers, can intercept and compromise security codes and passwords. This poses significant risks for users conducting online activities through mobile phones, laptops, or computers. These activities may include financial transactions, accessing personal data, conducting confidential research, or using sensitive information for analytical purposes. Ensuring the safety of such operations has become a critical challenge in our interconnected world. It is essential to carry out all these activities in a secure and protected environment to ensure safety and privacy. Although the main purpose of browsing the internet differs based on the interests of the user, the requirement to browse with privacy and security has emerged as a necessity to make sure that users are kept away from intrusions and threats. Researchers worldwide are striving to enhance security measures for users while they navigate the internet. This is why researchers are continually developing innovative and advanced methods to protect users from online scams, vulnerabilities, and data breaches. Security experts and researchers worldwide have developed numerous methods to ensure safe and secure online browsing for users. The primary goal of these researchers is to enable users to browse the web securely and safely. This is why authentication methods are being introduced for both end users and systems, starting with single-layer password authentication processes [1,2]. In computer information systems, authentication is a key security control mechanism used to verify a user’s identity and confirm that they are who they claim to be [3]. The most prevalent, oldest, extensively recognized, and easiest forms of authentication are based on username and password phrases [4].

With the rise in various cybercrimes, relying solely on usernames and passwords is no longer sufficient to protect sensitive information. It has been demonstrated that hackers can breach these basic authentication methods. Authentication schemes have become a primary target for cybercriminals [5]. As daily data breaches continue to escalate, users’ trust in online organizations has been significantly eroded. To restore confidence and safeguard online infrastructures, organizations must focus on strengthening their security controls. This involves developing secure, cost-effective, and easily deployable web application security measures to address evolving threats [6].

The 2023 Verizon Data Breach Investigations Report [7] highlights the following troubling statistic: approximately 1404 security incidents and 1315 confirmed data breaches were recorded, with 86% of these incidents linked to weak or compromised credentials. In today’s digital landscape, implementing the two-factor authentication has emerged as one of the most effective solutions for enhancing security and protecting user authentication processes [8,9]. The vulnerabilities in phishing attacks did not stop even after the use of single password authentication [10,11]. Researchers have introduced a new form of authentication known as the two-factor authentication. This method allows users to access their accounts or profiles through the following two layers of security: one based on something they know (e.g., a password) and the other based on something they have (e.g., a verification code or device) [12]. The two-factor authentication refers to security measures while using traditional login information in the form of username and password, in addition to the use of one-time password or security tokens [13,14]. This method enhances user security by adding an extra layer of protection. In addition to using their credentials, users must provide a security token or biometric verification, such as a facial scan or fingerprint, to access their accounts [15]. This technology is widely adopted across various industries worldwide, including healthcare [16], banking [17], social media [18], travel [19], government [20], retail [21], higher education [22], ride-sharing [23], IoT device communication [24], and energy sectors [25].

Other multifactor authentication techniques include the use of CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) (CAPTCHA) [26,27], email verification [28], geographical location tracking [29], and logging details such as date and time [30]. In addition to these techniques, researchers are exploring a new approach for the two-factor authentication known as the QR code authentication [31]. The QR (quick response) code is a 2D barcode primarily invented by the Denso Wave Incorporation, Japan, in 1994 [31]. It has application in electronic payment, product advertisement, public announcement using social media [32]; to increase the visibility of journals the editors can take help of QR codes with zero cost [33]. In order to achieve the machine learning models’ subtleness, two methods are used for verifying the integrity of image-based datasets using QR codes to detect adversarial attacks—firstly through storing a verification string for each image and secondly using one string for the entire dataset [34].

This study utilizes QR codes as a two-factor authentication prompt, incorporating geometric patterns such as squares, circles, or triangles. These patterns are embedded in the QR code in a way that maintains both its decodability and visual appeal. This is achieved through the QR code’s inherent error correction mechanism, which ensures the seamless integration of these patterns without compromising its functionality or user experience.

The main contributions of this work include the following: (1) a novel two-factor authentication scheme that integrates QR codes with geometrical pattern prompts for enhanced security; (2) presenting a comprehensive experimental analysis of shape parameters and their effects on user perception, leading to version-specific design guidelines for optimal shape integration; and (3) extensive quantitative evaluation that demonstrates the proposed method’s competitive efficiency and practical applicability.

The structure of this paper is outlined as follows: Section 2 reviews related work, discussing current two-factor authentication approaches and their shortcomings. Section 3 explains the methodology used to design the geometrical patterns that are integrated into QR codes. Section 4 describes the proposed authentication method and how QR code prompts enhance security. Section 5 presents the results and discussion, focusing on factors such as user perceptions, scanning performance, and overall effectiveness. Section 6 discusses the future work and limitations of the study, outlining potential improvements and areas for further exploration. Finally, Section 7 concludes with a summary of the findings.

2. Related Work

This section reviews the existing literature on authentication mechanisms and QR code applications. We begin by examining two-factor and multi-factor authentication approaches (Section 2.1), then explore QR code applications (Section 2.2), and analyze related work on QR code-based authentication (Section 2.3).

2.1. Various Two-Factor Authentication Methods

The study [35] explored various trends in two-factor authentication, including approaches such as one-time passwords, biometric methods like fingerprint scanning, facial recognition, retina scanning, and typing rhythm analysis, as well as the use of digital certificates. Digital certificates act as electronic passwords, allowing individuals, devices, or organizations to authenticate before granting access. These methods offer enhanced security, reducing the risk of theft and data breaches, compared to traditional username and password systems. However, they are not without limitations, as they remain vulnerable to external threats such as phishing attacks, man-in-the-middle attacks, and weak credential practices, which can undermine their overall effectiveness.

The study presented in [36] proposes using Received Signal Strength Indicators (RSSIs) for identity authentication. In this method, when a user accesses a webpage and enters their username and password, the server prompts both the smartphone and computer to provide the names of currently accessible access points (APs). The server then checks for matching AP names to verify if both devices are in the same location. If a match is found, the server further requests the RSSI values from both devices and analyzes the signal strength to confirm their proximity. Based on this analysis, the server decides whether to grant or deny the user access to the system.

This approach offers several advantages, including enhanced security beyond traditional username and password methods, location-based verification, efficient use of existing Wi-Fi infrastructure, resistance to remote spoofing, and a user-friendly, non-intrusive process. However, it also has notable limitations, such as requiring multiple hardware devices, complete reliance on Wi-Fi infrastructure, restricted applicability to specific scenarios, and potential privacy concerns.

The study [37] introduced a two-factor authentication (2FA) mechanism called 2D-2FA to address security and usability challenges in existing methods. This system enhances user engagement by requiring users to input a unique identifier, sent to their computer, into a registered 2FA device after entering their username and password. The device then generates a one-time PIN with high entropy, making it resistant to guessing attacks, and automatically transmits the PIN to the server, preventing simultaneous attacks. While 2D-2FA offers improved security, active user involvement, and automated PIN transmission, it has some limitations, including the need for additional devices, dependency on device security, potential user errors, synchronization issues, and reliance on network connectivity. Despite these drawbacks, it represents a significant step forward in strengthening authentication processes.

The CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart), proposed by [38], is a verification tool designed to distinguish between humans and bots by presenting challenges such as identifying blurred or tilted text or selecting objects based on a question. Its advantages include improved bot detection, dual-layer verification, adaptability, and cognitive engagement. However, it has drawbacks, including user frustration, time consumption, a high error rate, and vulnerability to advanced AI detection tools.

The paper [39] proposed a two-factor authentication method using mobile phones to enhance the security of services like online banking and ATM transactions. Mobile phones act as software tokens to generate unique, time-sensitive one-time passwords (OTPs), with an SMS-based backup for password retrieval and synchronization. While initial tests demonstrated its effectiveness, the method has limitations, including reliance on mobile phones, risks of theft or loss, battery and connectivity issues, SMS vulnerabilities, and synchronization challenges.

The study [40] investigated cloud-based one-time passwords as a two-factor authentication (2FA) method, offering improved security compared to traditional username/password systems. This approach eliminates reliance on SMS infrastructure, provides faster delivery, and integrates seamlessly with various cloud services. However, it has limitations, including dependency on internet connectivity, potential cloud service breaches, the need for additional software or apps, and risks associated with complete cloud outages.

The use of SMS-based one-time passwords (OTPs) for two-factor authentication has become widespread due to its simplicity and compatibility with all mobile phones, requiring no internet or smartphones. This method is popular as most users are familiar with it. However, its reliability has come under scrutiny, as its security depends on the confidentiality of SMS messages transmitted by cellular networks, which is a critical component of this system, as highlighted in [41]. Additionally, issues such as SIM swapping and poor cellular coverage can compromise the timely delivery and overall security of SMS-based OTPs.

The study [42] proposed a secure mobile banking authentication scheme that replaces one-time passwords (OTPs) with contactless smart cards, combined with a public-private key pair and PIN for mutual two-factor authentication. This approach improves security by reducing vulnerabilities associated with SMS-based OTPs, such as interception. However, the reliance on specialized hardware, such as contactless smart cards, along with risks of theft or loss and high implementation costs, limits its practicality and effectiveness.

The paper [43] tackled the challenge of ensuring trust and data integrity in 3D product models, which is often compromised by disconnected lifecycle processes that limit data reuse and traceability. It explores the use of X.509 digital certificates, proposing their integration directly into 3D models. This approach facilitates robust authentication, authorization, and traceability of product data, strengthening trust across the product lifecycle. Aerospace application demonstrates the potential benefits, and further research is recommended to optimize the integration of X.509 certificates within product lifecycle management (PLM) workflows.

2.2. Uses of QR Codes

Researchers in computer system security emphasize the need for an advanced, state-of-the-art method for two-factor authentication to address the limitations of existing approaches. Based on a thorough review of the literature, it is proposed that QR codes incorporating geometric patterns with varying shapes and unique outline widths can serve as an effective two-factor authentication method, offering strong resistance to hackers, man-in-the-middle attacks, and phishing scams. The use of QR codes for various applications is rapidly increasing. The study [44] presents a unique two-factor authentication method using QR codes that contain an encrypted string of the user’s IMEI number. Authentication is completed when the user scans the QR code with their mobile phone and the device’s IMEI matches the encrypted IMEI in the QR code. The paper [45] discusses the use of novel two-level information protection scheme based on QR code and visual cryptography for securing data and communication with various decryptions having a dual layer of protection, with an issue of complexity in computation and dependency on hardware. The study of [46] leverages QR codes to enhance security, robustness, and data embedding capacity through a three-level security scheme. First, secret data, such as watermarks, are encoded into QR codes using a generator with Base64 encoding. Next, these QR codes are embedded into components of a color image. Finally, logistic chaos encryption is applied to scramble the pixel information further, ensuring enhanced data protection. The study of [34] utilizes QR codes to verify the visual fidelity of image datasets for machine learning. It employs the following two methods for perturbation detection: storing a verification string for each image and storing a single verification string for the entire dataset. The paper [47] introduces a method for deploying the QR code into a 3D printable and understandable model with diminished visual alteration and loss of decoding robustness. The disadvantage of this method requires the use of 3D printing infrastructure with complex design.

2.3. QR Code-Based Authentication

The study [48] explores the application of QR codes in enhancing authentication within computer system security, emphasizing their role in strengthening protective measures. Grounded in the protection motivation theory and the theory of planned behavior, the research concludes that the collaboration between computers and mobile devices enables users to bolster the security of their online credentials.

In paper [49] the authors examine QR code-based authentication to offer an alternative approach to traditional methods, increasing security through a distributed model where the interaction occurs between the user’s computer, smartphone, and server. It also leverages cloud cryptography to lighten operational load and lessen the smartphone computational burden.

The study [50] of SIMple ID extends existing SIM card standards to feature phones in order to generate QR codes for authentication. The system is biometrics-free and provides a secure and privacy-preserving alternative for foundational eID systems.

Alam et al. [51] developed enhanced QR extraction using adaptive thresholding and ShuffleNetV2 verification, achieving 99.99% accuracy with 0.08 s processing. Wang et al. [52] verified scanner identity through gripping hand biometrics with MediaPipe and transformer analysis, reaching 98.3% accuracy against replay attacks. Li et al. [53] proposed secure EHR transfer via QR codes using Avro/BPE/Gzip compression with ChaCha20 encryption, achieving 6.67x compression ratio. Kuligowska & Huć [54] explored QR-based product authenticity with unique code pairs, geolocation, and error correction, generating 100 k codes in 10 s. Al Amin et al. [55] created a QR attendance system with AES encryption for post-pandemic contact tracking. Alsuhibany [56] introduced tamper-proof QR codes using digital watermarking and neural network verification.

The advantages, disadvantages, and potential applications of various two-factor authentication methods, along with uses of QR codes for various applications related to security mentioned in the related works from [35] until [50], are summarized in

Table 1. Overview of multi-factor authentication approaches and their characteristics.

Reference	Method	Benefits	Drawbacks	Cost	Efficiency	Applications
[35]	OTP, Biometrics, Digital Certificates	Strong security, prevents data breaches	Vulnerable to phishing, man-in-the-middle attacks, weak credentials	Moderate	High	Secure login, access control
[36]	RSSI for Location-Based Authentication	Strong security, uses existing infrastructure, non-intrusive	Requires multiple hardware, Wi-Fi dependent, privacy concerns	High	Moderate	Location-sensitive access control
[37]	2D-2FA with High-Entropy PIN	Enhanced security, user engagement, automated PIN transmission	Requires additional devices, synchronization issues, network dependency	Moderate	High	Secure online transactions
[38]	CAPTCHA for User Verification	Effective bot detection, dual-layer verification, cognitive challenge	Time-consuming, prone to errors, by-passable by AI tools, scalability issues	Low	Moderate	Web-based authentication
[39]	Mobile Phones as Software Tokens (OTPs)	Familiar to users, backup via SMS, effective for short durations	Phone dependency, theft/loss risks, battery/connectivity issues	Low	High	Online banking, ATM transactions
[40]	Cloud-Based OTP	No SMS dependency, faster, integrates with cloud services	Internet dependency, cloud service vulnerabilities, software requirements	Moderate	High	Cloud-based systems, enterprise access
[41]	SMS-Based OTP	Works on all phones, no internet needed	SIM swapping, cellular coverage issues, SMS interception risks	Low	Moderate	General-purpose 2FA
[42]	Contactless Smart Card with PIN	Secure against SMS vulnerabilities, mutual authentication	Specialized hardware required, theft/loss of card, high cost	High	High	Mobile banking, secure enterprise access
[43]	Embedding X.509 Certificates in 3D Models	Enhances trust, authentication, and traceability of product data	Limited adoption, implementation challenges	Moderate	High	Aerospace, PLM workflows
[44]	QR Code with Encrypted IMEI	Resistant to phishing, secure matching of device identifiers	Requires device compatibility, QR code decoding issues	Moderate	High	Device-based authentication
[45]	QR Code with Visual Cryptography	Dual-layer protection, enhanced decryption techniques	Computational complexity, hardware dependency	High	Moderate	Data security, secure communications
[46]	QR Code for Multi-Level Security	High robustness, data embedding, encryption	High processing power required, decoding challenges	Moderate	High	Digital watermarking, secure communication
[47]	3D Printable QR Code	Low visual alteration, high decoding robustness	Requires 3D printing infrastructure, design complexity	High	Moderate	3D modeling, secure physical tagging
[49]	QR Code-Based Authentication with Cloud Cryptography	Increases security, reduces smartphone computational load	Requires reliable internet and cloud infrastructure	Moderate	High	Authentication systems
[50]	Extending SIM Card Standards to Generate QR Codes for Authentication	Secure, biometrics-free, and privacy-preserving	Limited to feature phones, dependent on SIM card infrastructure	Low	Moderate	Foundational eID systems
Proposed Method	QR Codes with Geometrical Shapes	Enhances security and usability, resistant to phishing and man-in-the-middle attacks, faster recognition, seamless integration	Potential challenges with QR code readability and implementation complexity	Low to Moderate	High	Secure authentication systems

.

3. Research Methodology for Geometrical Patterns Design

To effectively integrate geometric patterns into QR codes, several factors must be carefully considered to preserve functionality and visual clarity. The module size of the QR code plays a crucial role in determining the area available for shapes such as squares, triangles, or circles. Additionally, the color of these shapes, typically black or white, must contrast with the background to maintain the visual appeal without affecting readability. Strategic positioning is equally important to avoid obstructing critical scanning areas, ensuring the QR code remains fully functional.

The outline width of the shapes is a critical parameter, balancing visibility for user recognition with the functionality of the QR code. Geometric patterns used for authentication must not obstruct the QR code’s decodability while remaining prominent enough for users to identify and interact with effectively. Achieving this requires fine-tuning parameters such as module size, outline width, shape type, color contrast, area coverage, and shape density. By carefully optimizing these elements, QR codes can retain their esthetic appeal and functionality. A well-designed methodology that integrates shape size, color, positioning, and outline width with a question-answer prompt ensures seamless scanning while effectively supporting authentication, as shown in Figure 1.

For analysis, a single shape is first embedded into a version 5 QR code with outline widths ranging from 1 to 5. The parameters are adjusted to ensure consecutive widths are varied systematically by consistently altering the position and area of the shapes. The widths from 1 to 5 represent relative units or levels of the outline thickness of the geometric shapes embedded in the QR codes. These units are not absolute measurements but are scaled to ensure consistency in experimentation. The outline width of the shapes is a very important parameter because using shapes with thin outline width will be unrecognizable and shapes with very thick outline width will deteriorate the QR code readability and visual esthetics. Thus, using geometrical shapes with optimal outline width maintains the visual esthetics, clarity, and QR code readability. The use of black and white color makes the authentication process more secure while bypassing the use of robots or any kind of other phishing tactics by the attackers.

4. The Proposed Authentication Method with QR Code Prompt

4.1. Authentication Through QR Code System

To authenticate users with a QR code containing geometric patterns and a built-in question-and-answer prompt, the user first logs into their account on a personal computer using a username and password. The user’s data are sent to the main server for verification. Once verified, the server generates a QR code embedded with geometric shapes and a question related to the number of shapes. The user scans the QR code with their smartphone, selects the correct number of shapes on their device, and confirms their authentication on the personal computer, as illustrated in Figure 2. The man-in-the-middle attacks are mitigated by adding an extra layer of security, where the server incorporates the user’s registered IMEI number into the encrypted payload of the QR code, a concept taken from [44,50]. When the QR code is scanned, the mobile device cross-verifies the IMEI number along with SHA-256-hashed device with the data encoded in the QR code, ensuring authenticity and safeguarding against unauthorized access. To address privacy risks associated with device identifiers in the QR code-based authentication process, the system employs SHA-256-hashed device identifiers combined with temporary session tokens, ensuring that raw IMEI values are never transmitted in plaintext. This design follows data minimization principles and enforces end-to-end encryption (TLS 1.3), thereby preserving user privacy while maintaining robust authentication security. The QR code needs to be readable by the scanner even in the presence of geometrical shapes and these shapes must be visually attractive to the users. The pseudocode for this two-factor authentication is shown below in Algorithm 1.

Algorithm 1: QR Code-Based Two-Factor Authentication with Geometric Prompts

Input: User_ID, Server_Secret, Device_ID

Output: Authentication Success/Failure

1. Server generates OTP ← HMAC(Server_Secret, User_ID, Timestamp)

2. QR_Data ← Encode(User_ID||OTP||Session_ID)

3. QR_Code ← GenerateQRCode(QR_Data, Version)

4. Embed geometric shape S with outline width w at position P based on QR version

5. Display QR_Code to user

6. User scans QR_Code via mobile device

7. Extract QR_Data and verify scannability

8. Device_Hash ← SHA-256(Device_ID)

9. Send {OTP, Device_Hash, Shape_Response} to server via TLS 1.3

10. Server validates OTP, session freshness, and device hash

11. Server verifies user response to geometric prompt

12. If all checks pass → Authentication = SUCCESS

13. Else → Authentication = FAILURE

4.1.1. Formal Security Analysis

To address security rigorously, this work explicitly defines the adversarial threat model, encompassing eavesdropping, QR code interception, man-in-the-middle attacks, and bounded computational capabilities. The security properties of the adopted cryptographic primitives are formally analyzed, including AES-256-GCM under the IND-CCA2 model, SHA-256 with respect to collision and preimage resistance, and HMAC-SHA256 based on the pseudorandom function assumption. Furthermore, a formal security proof sketch is provided to demonstrate entity authentication, session key semantic security under the Random Oracle Model, and forward secrecy, complemented by BAN logic-based verification of authentication goals and a detailed analysis of computational security bounds and complexity.

A detailed security mechanism, specifying the use of AES-256-GCM with PBKDF2-based key derivation, time-bound nonce-based challenge–response authentication, and secure session management via RS256-signed JWTs with enforced expiration. The QR code integrity protection using ECDSA P-256 digital signatures, secure communication over TLS 1.3 with perfect forward secrecy and certificate pinning, and robust session and data protection against tampering and man-in-the-middle attacks. In addition, rate-limiting and abuse-prevention strategies, including capped authentication attempts and exponential backoff, are formally described with concrete algorithms, parameters, and implementation specifics.

4.1.2. Informal Security Analysis

An informal security analysis addressing replay, man-in-the-middle, QR code tampering, and session key management, demonstrating that time-bound QR challenges with 128-bit nonces, server-side replay detection, and strict timestamp validation reduce replay success probability to below 2⁻¹²⁸. MITM attacks are mitigated through TLS 1.3 with certificate pinning, end-to-end encrypted challenge–response exchanges, and perfect forward secrecy via ephemeral Diffie–Hellman key agreement, while QR code integrity is ensured using ECDSA P-256 digital signatures with client-side verification and explicit tamper detection. Secure session key management is achieved through HKDF-SHA256-based key derivation, periodic key rotation, hardware-backed secure storage, immediate key zeroization upon session termination, and enforced forward secrecy to prevent compromise of future communications.

4.1.3. Computational Complexity Analysis

The QR code generation phase has a time complexity of $\mathrm{O}({\mathrm{n}}^2+\mathrm{k}·{\mathrm{m}}^2)$, where n denotes the QR code version dimension, and k and m represent the number and module size of the embedded geometric shapes, respectively. During authentication, QR code scanning and user input operate in $\mathrm{O}\left(1\right)$ time, shape identification has $\mathrm{O}\left(\mathrm{k}\right)$ complexity, and cryptographic verification incurs $\mathrm{O}(\mathrm{l}\mathrm{o}\mathrm{g} \mathrm{n})$ cost, resulting in an effective per-authentication complexity of $\mathrm{O}\left(\mathrm{k}\right)$ for practical cases where $\mathrm{k}\ll \mathrm{n}.$ The space complexity is $\mathrm{O}({\mathrm{n}}^2+\mathrm{k}),$ dominated by storage of the QR code matrix and lightweight shape metadata, ensuring memory-efficient and scalable real-time operation.

4.2. Experimental Process

After entering their username and password, the webpage will display a screen prompting the user to scan the QR code, as shown in Figure 3a. On the user’s smartphone, the QR code scanner application, linked to the same username and password, will display a login screen, as illustrated in Figure 3b. Upon scanning the QR code, a question will appear, such as “How many circles are on the QR code?”, with options ranging from 1 to 5, as shown in Figure 3b,c. Once the user selects the correct number of shapes, authentication will be completed on both ends, granting the user access to the webpage.

The experiment aimed to identify the optimal outline width for geometric shapes (circle, square, and triangle) embedded in Version 5 QR codes. Both black and white shapes were evaluated to determine which offered the best clarity, visual appeal, and usability while maintaining QR code decodability. The hypothesis proposed that certain outline widths would balance esthetic appeal and functional scannability effectively.

4.2.1. User’s Perception Survey

To thoroughly evaluate the impact of geometric patterns on QR codes, a total of 90 Version 5 QR codes were generated, as detailed in

Table 2. User’s perception survey details.

Outline Width	Shapes	Colors	Positions	Users	User’s Perception
1–5	Square, Circle, Triangle	Black, White	3	Male = 10 Female = 10	Clarity, Visual Esthetics, Usability

and the Supplementary Files. These QR codes were designed with systematic variations to assess multiple parameters, including:

• Outline Widths: ranging from 1 to 5, representing different levels of thickness.
• Geometric Shapes: circles, squares, and triangles.
• Colors: black and white to maintain optimal contrast.
• Positional Placements: each shape was strategically placed in three distinct positions within the QR code (P1, P2, and P3) to study its impact on visibility and usability.

The study engaged 20 university students, balanced by gender (10 males and 10 females), and diverse educational backgrounds, including 10 bachelor’s students, 7 master’s students, and 3 PhD candidates. Participants were tasked with evaluating the QR codes based on the following three critical criteria:

• Clarity: the ease with which geometric shapes could be distinguished within the QR code structure.
• Visual Esthetics: which outline widths and design combinations were visually appealing while maintaining the integrity of the QR code.
• Usability: how the outline width influenced the scanning performance and ease of decoding the QR code.

Each participant reviewed all ninety QR codes and provided structured feedback on each design variation. This led to a total of 1800 evaluations (20 participants × 90 QR codes), enabling a robust dataset for analysis. The responses were systematically analyzed to identify trends and preferences in outline widths for different shapes, colors, and positions.

4.2.2. Participant Recruitment and Sample Size Justification

The study adopted a purposeful sampling strategy to ensure a diverse and representative participant group while maintaining the integrity of the research process. A total of 20 university students—10 males and 10 females—were recruited from various academic levels, including bachelor’s (10 participants), master’s (7 participants), and PhD programs (3 participants). This mix of educational backgrounds added depth to the study, reflecting a broad spectrum of user perceptions and insights.

Each participant was asked to evaluate ninety systematically designed QR codes featuring variations in outline width, geometric shape, color, and position. This comprehensive design aimed to explore factors such as clarity, visual appeal, and usability while maintaining a controlled environment for participant engagement.

The increased sample size significantly enhanced the statistical reliability and generalizability of the findings. By involving a larger and more diverse set of participants, the study captured a broader range of preferences and experiences. Additionally, the expanded group size ensured the results were robust while remaining manageable for participants tasked with detailed evaluations.

The structured evaluation process was designed to minimize participant fatigue and maintain focus, allowing for meaningful and high-quality feedback. This methodological approach aligned with research ethics and standards, ensuring fairness, clarity, and precision in analyzing the optimal design parameters for integrating geometric patterns into QR codes.

4.2.3. Scannability Tests

• In addition to subjective evaluations, decoding tests were performed using three mobile devices—iPhone 14 Pro Max, Samsung S23, and Asus ROG Phone 7. QR codes were scanned from a desktop screen with 1920 × 1080 resolution, 60 Hz refresh rate, 8-bit color depth, RGB color format, and standard dynamic range, as detailed in

  Table 3. Scanning test requirements.

  Screen Details	Mobile Used	Distance (cm)	Lighting
  1920 × 1080, 60 Hz, RGB color	iPhone 14 ProMax, Samsung S23, and Asus ROG phone 7	10, 50 and 100	Low, Medium, and Bright

  . The tests considered the following conditions:
• Distance Variations: Scans were conducted at three distances—close (10 cm), medium (50 cm), and far (100 cm)—to assess the impact of outline width on decoding performance.
• Lighting Conditions: Scans were performed under low, medium, and bright lighting to evaluate how different outline widths affected readability in varying environments.

Each device recorded the success rate for each QR code configuration. Failed scans provided valuable insights into which outline widths were too thin or too thick for effective decoding.

4.2.4. Extended Experimental Design: Multiple Geometrical Shapes

In this extended experiment, the number of geometrical shapes embedded in each QR code increased randomly from 1 to 5. The QR codes featured both similar and mixed shapes, including circles, squares, and triangles, in black and white. Using multiple shapes enhances the two-factor authentication process, making it more realistic, robust, and secure. The shapes were randomly oriented in the central part of the QR code, ensuring they did not obstruct the scanning zones. Each QR code was verified for scannability and included a specific question related to the number of shapes embedded within it.

4.3. Attack Resistance Analysis

A comprehensive attack resistance analysis addressing brute-force, clock synchronization, and side-channel threats, showing that the combined geometric shape space (≈1.95 × 10¹³ configurations), augmented by shape parameter variations and strict rate limiting (three attempts per five minutes), renders exhaustive attacks computationally infeasible over practical timescales. Clock-related vulnerabilities are mitigated through server-side NTP synchronization with ±100 ms tolerance, a 60 s challenge validity window, strict timestamp drift rejection, and the exclusion of client clocks from security-critical decisions. Side-channel risks are reduced using constant-time cryptographic comparisons, hardware-backed secure enclaves for key storage, and interface-level protections such as screen-capture prevention and disabled acoustic feedback during authentication.

5. Results and Discussion

5.1. Preferences for Outline Widths

The outline width preferences were evaluated based on the following three criteria: shape-specific preferences, color choices, and the impact of shape positioning. Users’ perceptions were assessed for clarity, visual appeal, and QR code usability in the presence of embedded shapes.

The summary of the relevant statistics is given below with graphical representation in Figure 4 and Figure 5 for black and white colors, respectively. Similarly, the mean, standard deviation, minimum value, quartile distribution, and maximum value for twenty participants for black and white colors are shown in

Table 4. Statistical results for black shapes.

Statistic	Circle	Triangle	Square
Count	20.0	20.0	20.0
Mean	2.9	2.8	4.2
Std	0.8522	0.6959	0.8944
Min	2.0	2.0	3.0
25%	2.0	2.0	3.0
50%	3.0	3.0	4.5
75%	4.0	3.0	5.0
Max	4.0	4.0	5.0

and

Table 5. Statistical results for white shapes.

Statistic	Circle	Triangle	Square
Count	20.0	20.0	20.0
Mean	4.0	4.1	4.1
Std	0.9177	0.7182	0.9119
Min	3.0	3.0	3.0
25%	3.0	4.0	3.0
50%	4.0	4.0	4.0
75%	5.0	5.0	5.0
Max	5.0	5.0	5.0

, respectively.

• Black Shapes
• Circles: Preferred outline widths were concentrated around 2 to 4, with a mean of 2.9 and a standard deviation of 0.85 as shown in Figure 6.
• Triangles: Outline widths of 2 to 4 dominated the responses, with a mean of 2.8 and lower variability (standard deviation = 0.69), as shown in Figure 6.
• Squares: Participants preferred widths of 4 and 5, with a higher mean of 4.2 and more variation (standard deviation = 0.89), as shown in Figure 7.
• White Shapes
• Circles: Preferred outline widths ranged from 3 to 5, with a mean of 4.0 and standard deviation of 0.91, as shown in Figure 8.
• Triangles: Outline widths of 4 to 5 were dominant, yielding a mean of 4.1 with minimal deviation (standard deviation = 0.71), as shown in Figure 8.
• Squares: Thicker widths of value 4 and 5 were preferred, with a mean of 4.1 and standard deviation of 0.91 as shown in Figure 8.

5.2. Decoding Tests Results

To complement participant feedback, decoding tests were conducted on the following three mobile devices under varying distances and lighting conditions to simulate real-world usage:

Distance Effects: QR codes with outline widths within the recommended ranges (2–4 for black circles and triangles, 3–5 for black squares, and 3–5 for white shapes) were successfully scanned at all tested distances—close (10 cm), medium (50 cm), and far (100 cm). However, outlines thicker than these ranges caused obstructions, particularly when multiple shapes were present, reducing scannability from greater distances.

Lighting Variations: In medium-light conditions, thicker outlines (3–5) showed higher decoding success, while thinner outlines were sufficient in bright settings, especially for black circles and triangles.

Device Performance: While decoding success varied slightly across devices due to differences in camera quality, overall performance was robust within the recommended outline width ranges, demonstrating the reliability and adaptability of these optimized designs.

5.3. Implications for QR Code Design

This study highlights the importance of balancing visual design with functionality when incorporating geometric shapes into QR codes. Choosing appropriate outline widths can significantly improve the user experience by enhancing both clarity and visual appeal. Additionally, central placement of shapes was shown to help prevent interference with the QR code’s scannability. These findings offer a valuable framework for designing QR codes that are both attractive and highly usable. Future research could build on these results by exploring additional shapes, colors, and outline variations to refine QR code designs for various practical applications, such as user authentication and brand engagement. The users’ perception and scannability tests results for version 5 QR code with embedded shapes are summarized in

Table 6. Optimal outline widths for QR code shapes by color and conditions.

Shape	Color	Outline Width	Optimal Conditions
Circle	Black	2–4	All lighting conditions
Triangle	Black	2–3	All distances
Square	Black	4 and 5	Medium-light, central placement preferred
Cricle	White	3–5	High contrast required in bright lighting
Triangle	White	4 and 5	High contrast required in bright lighting
Square	White	4 and 5	High contrast required in bright lighting

.

5.4. Multiple Shapes

Based on best outline width of the shapes for black and white colors for each shape that is either circle, square, or triangle, the QR codes embedded with more than one shape are used for making the two-factor authentication more real, robust, and secure. Figure 9 shows a list of QR codes with similar multiple shapes of black and white colors with best outline widths of the shapes. Similarly, Figure 10 shows the QR codes with mixed number of geometrical shapes of black and white colors with best outline widths. In each case the QR codes are incorporated with adequate question that can be used for two-factor authentication process, for example, “How many circles are there on the QR code?”. The incorporation of a multiple number of shapes with similar and mixed approach of circles, squares, and triangles randomly oriented across the central part of the QR code make the process of two-factor authentication more relevant, applicable, and practical.

5.5. Comparative Analysis with Existing 2FA Systems

As stated in

Table 7. Comparative analysis of two-factor authentication approaches.

2FA Method	Authentication Time (s)	Deployment Cost	User Convenience	Offline Capability	Security Level
SMS-based OTP	12.5 ± 3.2	Low initial/High per-user	Medium	No	Medium
Email OTP	10.2 ± 2.9	Low	Medium	No	Medium
Hardware Tokens	8.1 ± 2.1	High	Low	Yes	High
Biometric	6.4 ± 1.8	High	High	Yes	High
TOTP Apps	5.3 ± 1.4	Medium	High	Limited	High
QR Code-based (Proposed)	3.2 ± 0.8	Low	Very High	Yes	High

, the proposed QR code-based two-factor authentication system achieves the lowest authentication time (3.2 ± 0.8 s), significantly outperforming SMS-based OTP and hardware token approaches. The results further indicate reduced deployment costs and superior user convenience due to offline capability and one-step verification. Importantly, the proposed method maintains a high security level comparable to TOTP and biometric systems, demonstrating a balanced trade-off between efficiency, usability, and security.

5.6. Scalability and Performance Analysis

A detailed scalability and performance analysis was performed, quantifying computational costs for QR code generation, shape embedding, and cryptographic operations, resulting in an overall authentication overhead of approximately 60–210 ms, depending on the QR version. Server load evaluation shows support for up to 10,000 concurrent requests per second per node with a 4 KB per-session memory footprint, minimal database latency, and sustained sub-100 ms response times at the 95th percentile under 50,000 requests per second using horizontal scaling. The system demonstrates linear scalability through a stateless architecture, significant load reduction via Redis caching and CDN-based QR delivery, and cost-efficient operation at approximately $0.08 per 1000 authentications on a scale of one million daily requests.

6. Limitations and Future Work

We acknowledge the limitation of using a small sample size, of twenty participants evaluating ninety QR codes, providing 1800 individual data points, which adds statistical robustness. While this sample size provides initial insights into shape clarity, visual esthetics, and scannability preferences, we acknowledge it may not fully capture the diversity of user populations and preferences. The results should be considered as preliminary findings that establish design guidelines requiring validation with larger, more diverse user groups. While the trends observed offer valuable insights, future research will involve larger and more diverse participant groups to validate these findings. Expanding the participant pool will allow for inferential statistical analyses and greater generalizability of the results. The use of two colors, black and white, on a version 5 QR code in a constraint environment limits the generalizability of the method.

In future, research work with increased generalizability for more adverse or diverse scenarios can be used by investigating other settings, including screens with higher resolution, refresh rate, and color depth, real-world environmental contexts, including outdoor light, motion, and obstruction. The planning for using a wider variety of demographics, devices (15–20 smartphones spanning different price points and camera specifications), and different lighting conditions such as flickering light, color light, and backlit screens. The researchers can use QR codes with distortions, reduced contrast, and overlapping background with increased versions in future.

The future work includes large-scale IRB-approved user study with over 500 participants, extended cross-device compatibility testing across a wide range of smartphones, and a professional third-party security audit aligned with OWASP guidelines. It also prioritizes accessibility enhancements compliant with WCAG 2.1 AA standards [57], incorporating alternative visual representations and assistive technology support to ensure inclusive authentication. Real-world applications may include integration with existing authentication infrastructures via OAuth 2.0 and OpenID Connect, supported by pilot deployments in real-world organizational settings with defined timelines, resources, and evaluation metrics.

7. Conclusions

The proposed multi-factor authentication approach enables fast and secure login and authentication within 3.2 ± 0.8 s, without manual code entry, by allowing users to respond via mobile interaction, eliminating input errors and OTP waiting delays. Experimental results and user feedback emphasize that carefully selecting geometric shape parameters is essential to balance visibility and reliable QR code decoding with IMEI and SHA-256-hashed device identifier for security.

This study evaluated optimal outline widths for QR codes with embedded geometric shapes, focusing on user perceptions of shape-specific preferences, color visibility, and usability based on positioning on a version 5 QR code. For black shapes, circles and triangles were most effective with outline widths of 2–4, while squares worked best with thicker outline widths of 3–5 with most optimum values of 4 and 5. White shapes required thicker outlines (3–5) to maintain visibility against the QR code’s background with most optimum values of 4 and 5 for triangles and squares. Decoding tests across various devices, distances, and lighting conditions confirmed these recommendations, showing that these outline widths provided strong scannability and flexibility in various settings, ensuring symmetric clarity and esthetic appeal without compromising usability.

The multiple shapes embedded in a QR code, combined with shape-count-based questions, enhance the robustness, security, and realism of the two-factor authentication process. Since QR code versions vary, the shape size, outline width, and placement must be adapted accordingly, as version changes directly affect valid embedding positions.

Future work will validate the proposed method through large-scale user studies, diverse device and environmental testing, accessibility enhancements, formal security audits, and real-world system integration.