Can QR Code Verification work without internet?

Yes. QR code-based credential verification in the EUDI Wallet ecosystem can function entirely offline. When the verifier scans the QR code, it establishes a local communication channel (typically via BLE or NFC) for the actual credential data transfer. The cryptographic signatures on the credentials can be verified against pre-cached issuer certificates without contacting any online service. This is essential for scenarios like traffic stops in remote areas or emergency identity checks where internet connectivity cannot be guaranteed.

What is the difference between device-engagement QR and credential QR?

There are two distinct QR code patterns in the EUDI Wallet. A device-engagement QR code is displayed by the wallet to initiate a proximity session -- it contains connection parameters (like BLE addresses) and a session encryption key, not the actual credential data. The verifier scans this QR to establish a secure channel, then requests and receives the credential data over that channel. A credential QR, used in simpler scenarios, directly encodes a compact credential presentation that the verifier can validate immediately upon scanning. The device-engagement approach is more secure and is the primary method specified in the ISO 18013-5 standard for mobile driving licenses.

How secure are QR codes for identity verification?

QR codes themselves are simply a data encoding format and do not provide security on their own. The security comes from the cryptographic protocols layered on top. In the EUDI Wallet ecosystem, QR codes initiate an encrypted session using ephemeral key agreement, ensuring that even if someone photographs the QR code, they cannot replay or reuse the credential presentation. Each QR code contains a unique session identifier and is valid only for a single verification transaction. The actual credential data is protected by the issuer digital signature and the holder device-binding proof.

QR Code Verification (QR Code Credential Verification)

QR Code Verification

technical

Full Name: QR Code Credential Verification

Definition

QR Code Verification is a credential presentation and verification method in the EUDI Wallet ecosystem that uses Quick Response (QR) codes as the initial communication mechanism between a wallet holder and a relying party. The QR code serves as a bridge between the physical and digital worlds, enabling face-to-face (proximity) verification scenarios where the wallet holder displays a QR code on their smartphone screen, which the verifier scans using a dedicated reader application or device. This mechanism supports both the ISO 18013-5 mobile driving license standard and the OpenID4VP protocol for verifiable presentations, making it a versatile verification method that works across different credential types, online and offline environments, and cross-border scenarios throughout the EU.

How QR Code Verification Works in EUDI Wallets

The QR code verification flow in the EUDI Wallet follows a carefully designed protocol that balances usability with security. The process begins when a verifier needs to check a credential -- for example, a police officer checking a mobile driving license, a bartender verifying age, or a border guard confirming identity. The verifier's application generates a verification request, which may be presented as a QR code for the wallet holder to scan, or alternatively, the wallet generates a device engagement QR code for the verifier to scan.

In the ISO 18013-5 proximity flow (used for mobile driving licenses), the wallet holder opens their EUDI Wallet app and selects the credential to present. The wallet displays a device engagement QR code containing an ephemeral public key and connection parameters. The verifier scans this QR code, extracts the connection information, and establishes a secure session using Bluetooth Low Energy (BLE), NFC, or Wi-Fi Aware. The actual credential data is then transmitted over this encrypted channel, not through the QR code itself.

For online verification scenarios using OpenID4VP, the flow is reversed: the relying party website displays a QR code containing an authorization request URI. The user scans this QR code with their EUDI Wallet, reviews the requested attributes, and authorizes the presentation. The wallet then sends the verifiable presentation directly to the relying party's backend over HTTPS. This same-device and cross-device flow pattern makes QR codes equally useful for in-person and remote verification.

Offline Verification Capabilities

One of the most important properties of QR code verification in the EUDI Wallet ecosystem is its ability to function without internet connectivity. This is critical for real-world deployment scenarios where network access is unreliable or unavailable, such as rural traffic stops, underground venues, emergency situations, or remote border crossings. The offline capability is achieved through several design decisions.

First, the credential signatures are self-contained: the issuer's digital signature on the credential can be verified using the issuer's public key, which the verifier caches locally from the EU Trusted Lists. Second, the local communication channel (BLE or NFC) operates independently of internet connectivity. Third, revocation status can be checked using short-lived credentials or pre-cached status lists that the verifier periodically updates when connectivity is available.

The offline verification model does introduce a trade-off regarding revocation freshness. If a credential has been revoked after the verifier's last status update, the verifier may accept a revoked credential. To mitigate this, the EUDI Wallet ecosystem uses credential validity periods (short-lived attestations that expire frequently) and encourages verifiers to update their cached revocation data as frequently as possible. For high-security scenarios, the verifier can require online verification to check real-time revocation status.

Security Architecture of QR Code Presentations

The security of QR code verification relies on multiple cryptographic layers rather than on the QR code format itself. Each verification session uses ephemeral key agreement to establish a fresh encrypted channel, preventing replay attacks. The session transcript (a hash of all exchanged messages) is included in the wallet's response, ensuring that a captured presentation cannot be replayed in a different session.

Device binding provides an additional security layer: when the wallet presents a credential, it includes a proof of possession signed by the device-bound private key stored in the secure enclave. This proves that the credential is being presented from the legitimate device, not from a clone or screenshot. Even if an attacker photographs the QR code from the wallet holder's screen, they cannot complete the verification protocol because they lack the device-bound private key.

The selective disclosure mechanism allows the wallet to present only the specific attributes requested by the verifier, rather than the entire credential. For an age verification, the QR code flow results in only a boolean "over 18" confirmation being transmitted, not the full driving license data. This minimizes the data exposure in each verification transaction and aligns with the GDPR data minimization principle.

What is QR Code Verification in the EUDI Wallet?

QR Code Verification: QR Code Credential Verification

QR Code Verification

Definition

How QR Code Verification Works in EUDI Wallets

Offline Verification Capabilities

Security Architecture of QR Code Presentations

Related Terms

Offline Verification

Frequently Asked Questions

Verwandte Leitfäden

→ Glossary Index

→ Offline Verification

Quellen

⚠️ Independent Information