Auth code per text message

[csteinlehner]

I just had a call with some designers to talk about the verification process. We came up with the idea to use as a standard a text message (SMS). The story could go like that.

1. Health authority call you about positive test result.
2. You are asked if you have the app to open it and go to the verification.
3. Health authority sends the auth code.
4. Phone pics automatically up the code in the text message (we need permission for that right? probably privacy relevant)
   4 alt. user copies code from the message (probably send autho code in separate message to enable easy copy/paste)
5. auth is done

Fallback:
User is told the code on the phone. (Error-prone, hard to hear are excluded, etc.)

Feedback on QR Solution:

• QR Codes are strange und feel technical, a lot of potential for user error
• QR Code on printed letters are slow to arrive (time between infection and report will be longer)
• QR Codes in e-mails could not be easily photographed on 1 device
• etc.

Are there any security concerns with sending the Code per text message? If yes, what could we do to work around this? Any other suggestions are very welcome.

[sascha10000]

When looking on SMS the only point that I wouldn't like is that the App reads every incoming one (is able to at least). It would basically be a handy way, but who sends the SMS...
Assume this:
-- Server generates Code
-- ...
-- Code is send from the doctor or any other personel via SMS to the tested person

How does the code reach the doctor?
-- Web portal where he can see codes? --> He will type the code by hand...
-- Server sends SMS to doctor including code and he forwards it
-- Server sends SMS (no option obv) --> anonymity wouldn't exist anymore (as the number would be bound to a positive tested person)

Open question: Has anybody worked with SMS on Phones and knows how the verfication codes are read automatically (read all SMS; whitelist certain numbers and only read those...)?

With QR Codes you could add a high correction level like 'H' with 30%. This means you can hide a third of the code and it is still readable. But you are right there are devices that may stress and we should at least have an alternate way to enter the verification code.

[csteinlehner]

@sascha10000 Thanks for your answer. Regarding the points:

How does the code reach the doctor?

• This problem we have for every method. We need a method where doctors can request a code from the auth server. This should ideally integrate well into their patient notification system without transferring data between these services. Maybe a simple webview for showing the code could be a method. I don't know very much about how the current patient notification is happening and how to integrate there well. Does anybody have more information on that topic?

QR Codes

• I think the biggest problem with QR is still, how do we get the QR Code from medical authorities to the patient?

[csteinlehner]

Another concern if is a 10 digit code is really feasible for a user. I think a shorter code, maybe just numbers with a shorter timeout (1 hour) could be easier to communicate over a phone and at the same time would be more save regarding lost codes.