2 comments

[ 3.2 ms ] story [ 16.0 ms ] thread
Two-way would be nice too.
Yes, but it would require a bit of extra user interaction to make it secure. Otherwise you might try to send something from the browser to your phone and it might actually go to the phone of an attacker behind you who also scanned it.

I think the solution would be to have the phone's screen turn green when it has successfully paired, and the user needs to verify that before sending to the phone. But everyone I've shown it to as-is hasn't been able to figure out how it works (except you). So I don't want to force any additional confusing steps on the user. In the future I might do it on a different site, without the focus on passwords.