QR Codes: How They Work & Best Practices

QR stands for 'Quick Response' - designed to be scanned rapidly by machines. Basic structure: • Finder patterns: Three large squares in corners help scanners locate and orient the code • Alignment patterns: Smaller squares help with distortion correction • Timing patterns: Alternating black/white lines help determine grid size • Format information: Encodes error correction level and mask pattern • Data region: The actual encoded information • Quiet zone: White border required around the code Data encoding: • Numeric mode: 0-9 only (most efficient) • Alphanumeric mode: 0-9, A-Z, some symbols • Byte mode: Any character (UTF-8 common) • Kanji mode: Japanese characters Capacity (Version 40, highest): • Numeric: 7,089 characters • Alphanumeric: 4,296 characters • Binary/Byte: 2,953 characters Most QR codes you see are much smaller versions with less capacity.

QR codes use Reed-Solomon error correction, allowing them to be read even when partially damaged. Error correction levels: • Level L: ~7% can be damaged • Level M: ~15% can be damaged (most common) • Level Q: ~25% can be damaged • Level H: ~30% can be damaged This means you can: • Add logos or images to the center (using high error correction) • Print on textured surfaces • Read codes that are scratched or dirty • Use stylized designs that modify some modules Trade-off: Higher error correction = less data capacity. A code with Level H holds about 30% less data than Level L. Best practice: Use Level M for most applications. Use Level H if you're adding a logo or expect physical damage.

URLs (most common): • Link to websites, apps, or landing pages • Deep links to specific content within apps • Social media profiles Payments: • Mobile payment apps (Venmo, PayPal, WeChat Pay) • Cryptocurrency addresses • Bank transfers in many countries Authentication: • Two-factor authentication setup (TOTP) • Login to services (WhatsApp Web, Telegram) • Event tickets and boarding passes Contact information (vCard): • Share business card details • Add contacts directly to phone Wi-Fi credentials: • Connect to networks without typing passwords • Format: WIFI:T:WPA;S:NetworkName;P:Password;; Plain text: • Short messages • Product serial numbers • Configuration data Location: • Geographic coordinates • Maps links

Size matters: • Minimum 2cm x 2cm for reliable scanning at arm's length • Larger for greater distances (billboards, posters) • Rule of thumb: scanning distance / 10 = minimum size Contrast is critical: • Dark modules on light background (not necessarily black on white) • At least 4:1 contrast ratio • Avoid low-contrast color combinations Quiet zone: • Maintain white space around the code (4 modules minimum) • Don't let other graphics touch the code Testing: • Test with multiple devices and apps • Test in different lighting conditions • Test at the expected scanning distance • Test printed versions, not just screens Dynamic vs static: • Static QR codes contain the data directly • Dynamic QR codes redirect through a service (editable destination) • Dynamic codes are better for marketing (tracking, updating URLs) Short URLs: • Use URL shorteners to reduce code complexity • Smaller codes are easier to scan • But consider: shortened URLs can expire or change ownership

QR codes themselves are just data - security depends on what that data does. Phishing risks: • QR codes can contain malicious URLs • Users can't see the destination before scanning • Always verify the URL after scanning, before taking action QR code replacement attacks: • Criminals place stickers over legitimate QR codes • Common on parking meters, payment terminals, public posters • Look for signs of tampering (stickers, misalignment) Best practices for scanning: • Use your phone's native camera app (more secure than third-party apps) • Preview the URL before visiting • Be suspicious of QR codes in unexpected places • Verify payment amounts before confirming Best practices for creating: • Use HTTPS URLs when possible • Consider branded short links for trust • Monitor your QR codes for unauthorized modification • For sensitive applications, implement additional verification Malicious data types: • URLs to phishing sites • Automatic app downloads • Payment redirections • Contact cards with malicious URLs

Micro QR codes: • Smaller version for space-constrained applications • Only one finder pattern • Less data capacity • Less common scanner support Framed QR codes: • Include text labels within the design • Better user experience ("Scan to pay") • Requires careful design to maintain scannability Colored and branded QR codes: • Add logos to the center (use high error correction) • Use brand colors (maintain contrast) • Round corners on modules for softer look • Still technically standards-compliant if scannable Art QR codes: • AI-generated artistic designs • Integrate QR into images • Higher failure rate - always test thoroughly Multi-link QR codes: • Single code that presents multiple options • Useful for "choose your platform" scenarios • Requires a landing page or service Sequential QR codes: • Multiple codes that link together • For data that exceeds single-code capacity • Rarely used in practice