5 QR code do's and don'ts

1. Do use free tools and experiment

As well as Q-Action there are loads of free tools and apps out there, both for creating and for reading QR codes. You can download a free reader app to your smartphone, and there are web sites (including Q-Action) where you can generate free QR code images for printing. Note that QR code and 'bar' code or UPC are not the same thing. You need to experiment and test and to think about how you will maintain the codes in future - such as if your web address changes after you have posted 50,000 leaflets.

2. Don't pimp your code

QR codes can contain some redundancy (Q-Action uses the maximum 30%) and some of the shapes are for orientation and calibration. Even the white border is part of the code. If you colour the pixels or the background, or cover them with reflective plastic they may not work, or worse they may work for you in a test environment and not your user in their environment. Remember that cameras do not naturally see the same spectrum that we do.

3. Do think about size and location

If the user can hold their phone close to your QR tag then 20 mm square should be a safe minimum size. If not, then as a rule of thumb a side of the printed code should measure about one tenth of the viewing distance. Remember also that bending a QR code around a mug or similar will distort it, so you have to stretch the original image just the right amount to make it appear square. If your QR code is a web address then the user will need a mobile phone signal or wi-fi to access the web page. The classic error is to print a small code on a poster the other side of subway tracks in an underground location. QR codes are a way of going from a physical artefact to an on-line experience, so it's no good having a QR code on a web page where it would be easier to have a clickable link. See wtfqrcodes for a laugh at the expense of....others.

4. Do use re-programmable QR codes

Free cloud services like YouTube, Flickr, Google Drive, and Dropbox enable you to share editable documents on the web, but take care to use a programmable QR code (like the Q-Action 'Goto' type) because if you change the document its URL will change. You don't want to have to re-print the code each time.

5. Do think about where you are sending the user

A mobile phone has a very small screen and limited add-on functionalities such as Flash. It's no good sending the user to a page that is not designed for mobiles. Also, the way people use QR codes is a very 'here and now' medium so your page should give the user something that is relevant to where they are and what they can do at that moment in time. Sending them to your normal home page will only annoy them - it's the QR code equivalent of spam.

It's amazing how many ideas you can come up with if you just think through the fact that QR codes take you to a web page and you can update that web page. Have a go with a couple of Q-Action free pages and see what you can come up with.

Q-Action cards as a secure access system

Here’s how Q-Action QR codes can be used to create a simple but robust photo-pass access security system for buildings and events, at almost no cost and without special equipment or infrastructure.

The security problem

I once interviewed a security chief at a major airport who, rather alarmingly, told me that his tests had shown that you could walk past one of their security guards with the photo security pass of someone radically different to you and yet still have an 80% chance of not being challenged as, even putting sloppiness and fatigue aside, it was difficult for humans to match photographs to people. Technologies such as biometrics have been hyped as solutions, but are costly and have so far failed to work reliably; as demonstrated by the recent abandonment of iris scanning at UK passport control. Technological solutions to security seem to come at a cost and to involve dedicated equipment, with little by way of fall-back if it fails.

As with any security system the effort and complexity of what you build using Q-Action depends on the nature of the risk and the degree of threat, but you can easily lock this system down to a greater or lesser degree according to your resources and your own balance of security and convenience. You can also change that balance quickly in response to perceived threats.

Really Simple Security

For a low-level security system without requiring equipment or infrastructure beyond a smartphone, you create a standard Q-Action membership or similar card type, ideally  with a photo of the owner. You could even put the photos on a shared space where they can be maintained by the card owner as they get older, grow beards, change their hair, or wear glasses. You can produce printed cards with the photo images and the QR code like standard security passes.

The QR code on the cards are scanned by security personnel with a any PC/laptop/tablet or a mobile phone. Even at this level it already represents an increased level of security as the photo that appears on the card and the photo on file that appears on scanning the QR code should be identical. This should already be much more positive and reliable than asking a person to compare a poor passport-booth photo with a real face walking by (which you will still have present as a check that this is the holder).

If you have a high peak traffic flow and want to avoid hold ups you could let the individuals scan their own cards and simply show their phones and matching cards to security. Both are possible to fake, but it is a lot of trouble.

Really Serious Security

Now comes the clever bit. The trick is to create one or more ‘security images’ that can be uploaded to a fixed URL that only you have access to. You put this single URL in all of your cards in the ‘background image’ field. This means that the current background will be rendered from all cards as they are scanned. As this is repetitive, any change in the regular background will be immediately apparent to security personnel.

You can change the background of the cards according to days of the week, time of day, or even individually per user according to their access level. As no user has access to the image, which could be complex, or could be unique and frequently changing, it would be difficult in the extreme to anticipate or replicate the correct security image.

If you are really prepared to go to town and have a Local Area Network and/or Wi-Fi, you could put the image on an internal server and restrict access by IP or MAC address, as well as restricting access of the scanning device to the known image source. This ensures that the security image is only delivered to a known device, and that the scanning device can only access the security image from a known source. This should be within the capabilities of most local set-ups using only the standard user access control features. Add WPA or similar encryption and you have a system that is about as locked down as it can be.

Lost stolen and abused

Q-Action cards reported as lost or stolen can have the message or the photo changed by the administrator to give a highly visible warning to security upon scanning. The background image URL can also be removed or changed to an alert one. Any subsequent scanning can also be noted from the web analytics audit trail. Cards can thus be rendered ineffective and a liability.

Regular system abusers, or personnel known to be high-risk, or in some other way special, such as visitors or contractors, can be flagged with a message or a different background image that causes security to give them appropriate attention.

No photo (or other data apart from the QR code) on the physical cards in an internally locked-down system (security image served from an internal server not available on the Internet) means that anyone gaining possession of a valid card and trying to use it, or to doctor it, has no idea what the complete scanned result should look like.

Multi-factor security

There are a number of factors that make it difficult to circumvent a Q-Action access system, but the fundamental strength is that you can centrally control, and easily change as frequently as you like, the data, the photo, and the background security image that attests to its validity.

Other factors are:

• Physical photo and stored photo (or other image) are an exact match, which is easy and quick for a human to assess
• Q-Action URLs are randomly generated so are not able to be guessed
• The first part of the URL shown after scanning should be the Q-Action one, otherwise it is a fake and this can be captured in a closed local network
• Q-Action QR codes are hard to spoof as all look very similar whereas another URL would produce a different pattern
• Access to the security image can be highly restricted in a local area network
• Using web page analytics means that an audit trail can be created

Geocaching with QR codes

There just has to be a new angle on geocaching using QR codes. One user has suggested that instead of leaving 'treasure' articles in containers there could be a QR tag from which you are able to access some form of on-line 'treasure'. Maybe we could make a Q-Action page where people can sign in, instead of a physical log book that is subject to vandalism and the elements. The hunt is on.

Getting Q-Action into Print

Getting a q-action qr-code into print is easy - <right-click> over the image and <copy image> then paste into your favorite word processor or image editing program then print.

But what if you want the image to be bigger? If you simply stretch the qr-code it will probably look horrible when printed. This is because the codes as they appear on the screen are only 150 x 150 pixels and the software has stretched the image using rules that wirk for photographs, but are not so good for graphics.

We did think of adding some buttons to allow you to download the image in some larger sizes before we realised that there is an easy way to scale the image to any size you need.

• Paste the qr-code into gimp. (Our favorite free, open source image editor).
• Select image > scale image.
• Set interpolation to none. Interpolation sets the rules used to scale the image.
• Set the dpi. 
• For viewing on screen use 72 dpi. 
• For ordinary colour printing use 150dpi.
• For high resolution printing use 600 dpi.
• If you are a professional printer you will probably smugly say you use 1200 dpi or higher.
• Set the image to the size you want. Happily you can mix imperial and metric units here, but you will want to keep the width and height equal.
• Click scale.
• Save the image as a TIFF, PNG or other "non lossy" format otherwise it will look fuzzy.
• Print and enjoy.

Decorating Q-Action Codes

Purists are quick to point out that the standard for QR codes specifies that they should be black and white with a border. The artistically inclined are equally quick to point out that this makes QR codes visually very boring and wouldn't it be nice if they were decorated in some way.

Fortunately many QR code readers are very tolerant of colour variations and the codes themselves incorporate a certain amount of tolerance to error in print quality. This means that it is possible to tweak a codes visually as long as you are sure that it is not going to be used on something that is mission critical.  So if your code is going to be used on a manned mission to Mars stick to the black and white version.

Using any image as a base the following method should give you a reasonable result:

1. Load your image into the GIMP image editing program.
2. Grab a copy of the QR-Code image by using right-click over the image on the view page of your q-action account.
3. Back to Gimp and paste as a new layer.
4. Scale the layer making sure interpolation is set to none. The code will get unhelpfully distorted if you use any other setting.
5. Add a layer mask using image greyscale option.
6. Adjust brightness and contrast until the result looks OK.
7. Crop and save the image.

I reset this q-action code to point to the you-tube video of how it was made using these instructions.

And this is the video: