---
url: 'https://www.corbado.com/blog/qr-code-login-conversion'
title: 'QR Code Login: How well does it really work?'
description: 'QR code login shines in demos but cross-device gaps, Bluetooth and scan friction cut conversion. Where it works, where it breaks and how to measure it.'
lang: 'en'
author: 'Vincent Delitz'
date: '2026-06-22T08:19:11.805Z'
lastModified: '2026-06-22T08:19:11.805Z'
keywords: 'qr code login conversion, webauthn hybrid transport qr code bluetooth required'
category: 'Authentication'
---

# QR Code Login: How well does it really work?

## 1. Introduction: does QR Code Login actually convert?

[QR code login](https://www.corbado.com/blog/qr-code-login-authentication) looks effortless in a demo: show a code, scan
it with a phone, you are in. That clean handoff is why it powers desktop login for WhatsApp,
Revolut and modern passkey cross-device flows. But "looks effortless in a demo" and "converts well
in production" are two different claims, and the gap between them is where teams lose users.

This article is not about what QR login is or how to build it - the
[QR code login methods guide](https://www.corbado.com/blog/qr-code-login-authentication) and our
[passkey QR code deep-dive](https://www.corbado.com/blog/webauthn-passkey-qr-code) cover that. It is about how well it
actually works: where it converts, where it quietly breaks and how to measure the difference so you
know whether QR login is helping or hurting your funnel.

### 1.1 What this article covers

- The ideal case where QR login is genuinely excellent
- The hidden conversion killers: device availability, scan friction and Bluetooth
- Why passkey QR login depends on a Bluetooth proximity check
- How to instrument the QR flow so drop-off stops being invisible

### 1.2 Two kinds of QR login

Before talking about conversion, it is worth separating the two methods that both get called "QR
login", because they work differently and fail differently:

- **Passkey QR login (FIDO2 hybrid transport).** The desktop shows a QR code, the phone scans it and
  a Bluetooth Low Energy proximity check links the two devices before a domain-bound
  [passkey](https://www.corbado.com/glossary/passkey) completes the login. It is phishing-resistant, but it depends on
  Bluetooth. This is the cross-device passkey flow covered in our
  [passkey QR code deep-dive](https://www.corbado.com/blog/webauthn-passkey-qr-code).
- **Native app QR login (session handoff).** The desktop shows a QR code, an already logged-in mobile
  app (think WhatsApp Web or Revolut) scans it and hands its existing session over to the desktop via
  deep linking. There is no Bluetooth requirement, so it sidesteps that constraint, but security
  rests on the app session plus a short-lived code rather than a proximity check.

The rest of this article keeps these two apart, because blending them into one "QR login" number
hides why it converts the way it does.

## 2. The Ideal Case: where QR Login is excellent

QR login is at its best in one specific situation: a user with their phone already in hand and
already logged in on that phone, scanning a code on a desktop screen that is physically in front of
them. In that case it is close to magical - no password typed on the desktop, no code relayed, just
a scan and a confirmation.

This is why it is such a good fit for desktop onboarding of a mobile-first audience, as explored in
[cross-device authentication](https://www.corbado.com/blog/webauthn-cross-device-authentication-passkeys-mobile-first). The
phone is the trust anchor, the desktop is the destination and the QR code is the bridge. When the
preconditions hold, QR login converts extremely well.

The problem is that those preconditions do not always hold, and every missing one is a drop-off.

## 3. Hidden Conversion Killers

### 3.1 Device availability and scan friction

The flow assumes the phone is reachable and the user knows how to scan. In practice the user may not
have the phone to hand at the desktop, may not realise they need it, or may struggle to open a
scanner - older Android cameras and some locked-down devices do not scan QR codes from the default
camera. Each hesitation at the highest-intent moment is exactly the
[login friction that kills conversion](https://www.corbado.com/blog/login-friction-kills-conversion).

### 3.2 The Bluetooth requirement for Passkey QR Login

This is the one most teams miss. Passkey QR login uses the FIDO2 hybrid transport, and scanning the
code starts a **Bluetooth Low Energy proximity check** between phone and desktop. That step is a
deliberate anti-phishing control - it proves the devices are physically close, so an attacker cannot
finish the login from a remote machine. The trade-off is hard: if Bluetooth is off, unsupported or
blocked by enterprise policy, the flow simply cannot complete. Our own search data shows real demand
behind queries like "webauthn hybrid transport qr code bluetooth required", which is users and AI
assistants running straight into this constraint.

### 3.3 Network and proximity mismatches

If the phone is on mobile data and the desktop is on a corporate Wi-Fi, or the two are not actually
near each other, the handoff can stall. The user sees a code that never resolves and gives up,
which standard analytics record as an abandon rather than a proximity failure.

## 4. Passkey QR vs Native App QR: different Failure Modes

The two common kinds of QR login fail differently, which matters when you read your funnel:

- **Passkey QR login** is phishing-resistant thanks to the Bluetooth proximity check, but that same
  check is its main conversion risk: no Bluetooth, no login.
- **Native app QR login** (deep linking into an installed, logged-in app) has no proximity
  requirement, so it sidesteps the Bluetooth problem, but it depends on the app being installed and
  signed in, and it is weaker against remote abuse unless the code is short-lived.

The full security and architecture comparison lives in the
[QR code login methods guide](https://www.corbado.com/blog/qr-code-login-authentication); the point here is that "QR login
converts badly" is rarely true in general - it is usually one specific precondition failing for one
specific segment.

> If QR login is a major path for you, do not judge it on a blended completion rate. A single number
> hides the fact that it converts near-perfectly for prepared mobile users and poorly for users
> without Bluetooth, without the phone or on mismatched networks. Always offer a non-QR fallback.

## 5. How to measure QR Login Conversion

QR login is especially prone to invisible drop-off because the failure often happens on a second
device that your primary analytics never see. To get the truth, instrument the handoff as its own
funnel:

- **Track each step:** `qr_code_shown`, `qr_code_scanned`, `proximity_check_started`,
  `login_confirmed`, `session_established`. The drop between scanned and proximity is your Bluetooth
  signal.
- **Segment by OS and device:** iOS, Android version and desktop platform behave differently,
  especially around Bluetooth and camera scanning.
- **Separate passkey QR from native app QR** so their very different failure modes do not average
  into a meaningless blend.
- **Watch fallback usage:** users who abandon the QR flow and switch to another method are telling
  you the QR preconditions failed for them.

This is the same [authentication observability](https://www.corbado.com/blog/authentication-observability) and
[method-comparison discipline](https://www.corbado.com/blog/authentication-analytics-playbook) we apply to every method:
turn "QR login feels flaky" into "passkey QR completes well on iOS but drops at the proximity step
on a measurable share of Android sessions, so we should detect Bluetooth state and fall back
earlier".

## 6. Conclusion: a great Method with sharp Edges

QR code login is genuinely excellent in its ideal case and genuinely fragile outside it. The
question is never "does QR login work" in the abstract - it is "for which of my users do the
preconditions hold". Three takeaways:

1. **Protect the ideal case.** For prepared mobile users scanning a nearby desktop, QR login is one
   of the smoothest methods there is.
2. **Respect the Bluetooth constraint.** Passkey QR login needs proximity, so detect Bluetooth state
   and fall back gracefully instead of dead-ending the user.
3. **Measure step by step.** Segment the QR funnel by step, OS and device so its real conversion -
   not a misleading blended average - drives your decisions.

Done right, QR login is a powerful cross-device bridge. Measured honestly, it tells you exactly when
to lean on it and when to route users somewhere else.

## Frequently Asked Questions

### How well does QR code login actually work?

QR code login works very well in its ideal case - a logged-in phone scanning a desktop screen on the
same network - and noticeably worse outside it. Conversion drops when the user has to find a camera
or scanner, when the phone and desktop are not in proximity, and for passkey QR login specifically
when Bluetooth is off or blocked, since the FIDO hybrid flow requires it. So the honest answer is
that QR login is a strong desktop-handoff method for prepared users and a fragile one for unprepared
users, and the gap is large enough that it must be measured rather than assumed.

### Why does passkey QR code login require Bluetooth?

Passkey QR login uses the FIDO2 hybrid transport, where scanning the QR code starts a Bluetooth Low
Energy proximity check between the phone and the desktop. That proximity step is a deliberate
anti-phishing measure: it proves the two devices are physically near each other, so an attacker
cannot complete the login from a remote machine by tricking the user into scanning a code. The
trade-off is that if Bluetooth is disabled, unsupported or blocked by policy, the flow cannot
complete.

### Why do users drop off during QR code login?

The common drop-off points are: the user does not have the phone to hand, they cannot find how to
open a scanner, the camera or scan fails, the two devices are not in Bluetooth proximity for passkey
QR login, or the phone is on mobile data while the desktop is on Wi-Fi and the handoff stalls. Each
of these looks like a generic abandon in standard analytics, which is why QR login conversion is
usually underestimated until the funnel is segmented by step.

### Is QR code login secure?

It depends on the type. Passkey-based QR login is phishing-resistant because it combines a
domain-bound credential with a Bluetooth proximity check, earning a high security rating. Native app
QR login, which relies on an existing logged-in app session and deep linking, is more convenient but
lacks proximity verification, so it is more exposed to remote and man-in-the-middle abuse unless the
QR code is short-lived and the login is confirmed in-app.