SMSing might be good, but there are also a few reasons not to do so. For example, there are many users who don’t really want to enter their phone number anywhere on the Internet (and it is actually a good point, at least you get more privacy).
A few more reasons:
1. There are always third parties (the SMS gateway, the carrier) when you send SMS messages.
2. You cannot receive SMS if there’s no signal or if there’s no cellular module at all (a frequent use case on tablets, iPods, etc) — just the camera, Internet connection, QR code scanning application. :)
3. Sending SMS messages costs you money. In another hand, QR codes are generated for free. Also, it usually takes more effort to set up (and also it can break — relying on third party services is almost always less solid).
4. SMS messages can be slow (and sometimes you don’t receive a message at all). QR codes, in another hand, are very predictable and usually work pretty well (at least if the camera works correctly).
Correct. The only thing I’d also like to mention is security.
1. If there are XSS vulnerabilities on the website, an attacker could be able to use iframes (at least if you haven’t set X-Frame-Options to DENY) or XMLHttpRequest to retrieve an authentication QR code and use it to log into the user’s account.
2. Even without any XSS, it is possible that someone who has access to the user’s session (for example, if the user is still logged in on the website, but is away from the computer) could scan the QR code and, therefore, log into the user’s account.
Possible solutions include sending the QR code by email (actually, some users are always logged into their email accounts as well, so this might be meaningless) and prompting the user for their password before displaying the QR code (it is still much easier to type the password on a desktop/laptop computer’s keyboard rather than type the site address + login or email + password on a mobile device’s virtual keyboard).
Yup. That is how it was. Of course, if someone will add this and send me a pull request, it’ll be there. Or maybe I will make it myself later (actually, it should be pretty easy to implement).
A few more reasons:
1. There are always third parties (the SMS gateway, the carrier) when you send SMS messages.
2. You cannot receive SMS if there’s no signal or if there’s no cellular module at all (a frequent use case on tablets, iPods, etc) — just the camera, Internet connection, QR code scanning application. :)
3. Sending SMS messages costs you money. In another hand, QR codes are generated for free. Also, it usually takes more effort to set up (and also it can break — relying on third party services is almost always less solid).
4. SMS messages can be slow (and sometimes you don’t receive a message at all). QR codes, in another hand, are very predictable and usually work pretty well (at least if the camera works correctly).