Scantrust Secure Codes (SSC) are printed with the secure graphic which is a copy-resistant anti-counterfeiting feature. By default these codes can be authenticated with the Scantrust Mobile App or the Scantrust Enterprise App (for iOs / Android), however this requires the user to download a dedicated app - and to have a supported phone: a phone with a camera that has been calibrated by Scantrust to do video-auth.
The Photo-auth feature was developed for a client landing page or app to give the ability to the user to upload a photo for authentication, removing the requirement for downloading an app or having a calibrated phone. This document describes the API provided by Scantrust to do the photo-auth.
Before implementing a custom landing page or integrating photo-auth into your app, please consider the notes below for implementation:
Supported Printing Technologies
Though all Scantrust Secure Codes work with photo-auth, it has been optimized for usage with digitally printed codes using HP Indigo technology. Make sure to check with your Scantrust Project Manager to make sure your codes are compatible with PhotoAuth..
Provide clear instructions to the end user
The photo-auth endpoint will not authenticate bad quality photos (the server response will generally be that there is a quality issue with the picture) and is intended to be used with landing pages or apps which provide the correct instructions to the end-user on taking the photo. These instructions should include:
- Correct distance to the QR code (as close as possible to the minimum focus distance, to capture an image of big enough size for the secure graphic to be captured)
- Tapping to focus (to prevent blurred images)
- Zooming in on the QR Code (which helps the user to see that the QR Code is in focus)
- Switch on the flash (to capture the image with the best possible lighting which can help reduce the number of f-stops needed)
- Tilting slightly the camera (to prevent glare when the flash is on)
- Reminder to the user that the QR Code will not scan automatically and that a photo must be captured
For an example implementation see the Photo Auth Landing Page example.
Phone Camera limitations
Photo-auth is much more permissive than video-auth when it comes to supported phones, and a very high percentage of current smartphones are supported. However there are still phones out there with insufficient camera quality to obtain a good picture, as well as phones with sufficient camera quality but which are more difficult to get in the right focus. This is sometimes not only caused by the age of the phone, but can also be due to other factors such as image distortion by the photo app (‘beautification’), low quality lenses, lenses not optimized for close-up images etc.
Therefore the landing page or app from which the photo-auth is called needs to implement a mechanism for detecting repeated failures and notify the user that there could be an issue with their phone.
Landing Page Redirection
The photo-auth scan result contains only the result of the authentication and doesn’t handle the redirection. The client app has to decide to which final landing page the user will be redirected. The “consumer_url” from the response can be used, or the scan UUID can be used to look up additional (campaign) data through our scantrust consumer API. See the Consumer API Documentation for more details.
Combatting Fake URLs
A common approach of counterfeiters is to put a QR code on their fake products with a URL which mimics the look and function of your landing pages. It is important to communicate with your users that your PhotoAuth feature can only be accessed through a trusted channel for example a link from your Facebook account - or from your offical website. If you need more information or are looking for advice around this complicated topic, please contact your Scantrust Account Manager.