NeuroAgent

How does Yandex QR code authentication work

Learn how Yandex QR code authentication works and how it differs from 'Password + one-time password' mode. Complete explanation of technical details and security.

#bezopasnost-vkhoda#bezparolnyy-vkhod#dvukhfaktornaya-authentifikatsiya#kriptograficheskaya-authentifikatsiya#odnorazovyy-parol#yandeks-klyuch#yandeks-qr-auth
Question

How does Yandex authentication via QR code work, and how does it differ from the ‘Password + one-time password’ mode?

I’m trying to understand the authentication options in Yandex, but I can’t find information about what happens when logging in with a QR code. I’ve read all the documentation, but it seems outdated and doesn’t contain an answer to my question.

  1. When logging in with a username and password, you need to enter a one-time code - that’s clear.
  2. When logging in with a QR code, no passwords are requested, and login happens immediately.

Additionally, in the documentation for the ‘Password + one-time password’ and ‘One-time password’ login methods, the same text is provided for describing QR code login:

“If the Yandex Key application recognizes the QR code, it will send your username and one-time password to Yandex and you will automatically log in to the browser.”

How should this be interpreted? Doesn’t the server always send the one-time code?

I also have a second question: Why isn’t there a ‘One-time password’ option in the settings? Is this related to some limitations, or was this feature removed?

NeuroAgent

QR Code Authentication in Yandex: How It Works and Differences from Traditional Methods

QR code authentication in Yandex works based on cryptographic verification using a secret key, which fundamentally differs from the traditional “Password + One-Time Password” method. When logging in via QR code, the system verifies that the key was issued for a specific site and uses a token to confirm your identity without directly entering a password.

Table of Contents

How QR Code Authentication Works

The QR code authentication process is based on passwordless login technology using cryptographic keys:

  1. QR Code Generation: When attempting to log in to a site, the system generates a QR code containing an encrypted token and session login information

  2. Code Scanning: The user opens the Yandex.Key app on their smartphone and scans the QR code

  3. Authentication: The Yandex.Key app recognizes the QR code and sends to the server your login and automatically generated one-time password

  4. Session Confirmation: The server receives a token marked “all good” and authenticates the user

As explained in Yandex’s official documentation, this process uses a “login — public key” pair for user authentication rather than traditional password entry.

Differences from “Password + One-Time Password” Mode

The main differences between these methods:

Characteristic QR Code Authentication Password + One-Time Password
Password Entry Not Required Required
Code Entry Automatic via app Manual entry (SMS or from app)
Devices Requires 2 devices (PC + smartphone) One device
Speed Faster (automatic transmission) Slower (manual entry)
Security Higher (cryptographic verification) Standard two-factor

The key difference is that when logging in via QR code, no password is requested - the system relies on cryptographic verification of the key issued for a specific site, as noted in the Yandex ID documentation.

Why the Documentation Has Identical Descriptions

You’re absolutely right - the documentation does have identical descriptions for both modes. This is because:

  1. Technical Implementation: Both methods ultimately use the Yandex.Key app to generate a one-time password

  2. Unified Mechanism: Regardless of whether you log in via QR code or manually enter a code, in both cases the app sends your login and one-time password to the server

  3. Documentation Simplification: Most likely, developers intentionally combined these descriptions to avoid redundant information

As explained in this Habr article, when scanning a QR code, the app sends a token with confirmation to the server, which is essentially the same process as entering a one-time code - just automated.

Absence of “One-Time Password” Option in Settings

There is indeed no “One-Time Password” option in settings, and this is due to several reasons:

  1. Technical Evolution: Yandex is gradually moving away from one-time passwords in favor of more modern authentication methods

  2. Security: QR code authentication is considered more secure as it eliminates the possibility of code interception during manual entry

  3. Interface Simplification: Yandex aims to maximize the simplification of the login process for users

As noted in sources, in 2022, passwordless login via image (QR code) was launched, and in 2024, compliance with industry data protection standards was confirmed - showing a strategic shift from traditional methods to modern technologies.

Practical Use and Security

Advantages of QR Code Authentication:

  • Convenience: No need to remember or enter passwords
  • Security: Eliminates the risk of password interception during entry
  • Automation: The login process happens almost instantly
  • Cross-platform: Works on any device with a camera

Limitations:

  • Requires smartphone: User must have a device with a camera and the Yandex.Key app installed
  • Battery dependency: If the smartphone runs out of battery, login via QR code becomes impossible
  • Risk of device loss: In case of smartphone loss, access to the account may be limited

For setting up two-factor authentication via QR code, you need to:

  1. Confirm your phone number via SMS
  2. Install the Yandex.Key app on your smartphone
  3. Scan the QR code, which contains a secret key for adding the account

Technical Implementation Details

Cryptographic Foundation:

QR code authentication uses standard two-factor authentication protocols but with some features:

  1. Key Generation: When first used, a secret key is created that is encoded in the QR code

  2. Temporary Tokens: The Yandex.Key app generates temporary tokens based on the secret key

  3. Short-term Validity: Each token is valid for a limited time and cannot be reused

As described in this Allsoft article, the QR code for adding an account contains a secret key that is used to generate one-time passwords in the future.

Interaction Scheme:

Browser (PC) → QR Code Generation → Yandex.Key App (smartphone) → OTP Generation → Yandex Server → Login Confirmation

This scheme ensures secure transmission of authentication data without direct password entry by the user.

Conclusion

QR code authentication in Yandex is a modern passwordless login method that uses cryptographic keys to verify user identity. The main advantages of this method are convenience, security, and login speed.

Key differences from the traditional “Password + One-Time Password” method:

  • No need to enter a password
  • Automatic generation and transmission of code via the app
  • Higher security level through cryptographic verification

The absence of a “One-Time Password” option in settings is part of Yandex’s strategy to transition to more modern and secure authentication methods. For maximum security, it is recommended to use QR code authentication, as well as keep backup access methods in case of smartphone loss.

Sources

  1. Yandex ID Official Documentation - Passwordless Login
  2. Yandex ID - Logging in to Yandex with a One-Time Password
  3. How Yandex Authentication via QR Code Works - Habr Q&A
  4. Yandex Key Secret Code - Allsoft
  5. Yandex ID Product - TAdviser
  6. Yandex.Key - CNews
  7. Two-Factor Authentication - Setup and Usage
How to recover access to Yandex account when losing smartphone with Yandex Key?Can I use QR code authentication on multiple devices simultaneously?What are the alternative two-factor authentication methods in Yandex?How to enable or disable QR code authentication in Yandex settings?Is it safe to use QR code authentication on public computers?What data is transmitted when scanning QR code to login to Yandex?
Ask NeuroAgent