The biggest disadvantage of this scheme is that if a malicious actor can trick you into scanning an arbitrary QR code, they can get access to your account (by visiting the login page themselves to generate a QR code, and then sending you the code).
Discord implements this feature, and this phishing scheme is extremely common: bots/scammers will message you saying "to access <some desirable content>, please scan this QR code" -- and if you scan the code, the scammers have just taken over your account. It's not much harder than rickrolling someone unless they're savvy enough to be aware of the scam.
Of course this can be mitigated somewhat by putting a big scary confirmation screen that says "don't click continue unless you're trying to log into your account from another device", but 1) users don't read, they just click "continue"; and 2) the attacker controls the narrative before the user clicks the QR code; they can craft the language to make the scary warning screen make sense to the user ("yes, I am trying to log into this discord server that this person sent me an QR code to").
I feel like there should be a way to implement this in a phishing-resistant way. Maybe instead of a QR code some sort of video stream that updates dynamically? That would at least be much more difficult for attackers to pass through to the victim.
Discord implements this feature, and this phishing scheme is extremely common: bots/scammers will message you saying "to access <some desirable content>, please scan this QR code" -- and if you scan the code, the scammers have just taken over your account. It's not much harder than rickrolling someone unless they're savvy enough to be aware of the scam.
Of course this can be mitigated somewhat by putting a big scary confirmation screen that says "don't click continue unless you're trying to log into your account from another device", but 1) users don't read, they just click "continue"; and 2) the attacker controls the narrative before the user clicks the QR code; they can craft the language to make the scary warning screen make sense to the user ("yes, I am trying to log into this discord server that this person sent me an QR code to").