The Rise and Rise of the Barcode

Barcodes have long sat awkwardly in the secure document world. They are fast and cheap, but easily copyable. A barcode is printed data, making it easy to clone, reprint or alter. But the industry is rethinking what a barcode is and what it can do. Instead of just holding a reference number that points to a record in a database, the barcode increasingly carries the actual identity data plus a digital signature from the issuer, drastically increasing its security and usefulness.

Barcodes on secure documents

At first, barcodes on identity documents were used for practical reasons, to scan details quickly and avoid mistakes from typing information by hand.

The introduction of the QR code by DENSO WAVE in 1994 offered several advantages over existing 2D codes for document security applications. QR has three large finder patterns in the corners plus alignment and timing features, which makes it quick for cameras to locate, size, and de-skew in messy real-world scanning. It also supports multiple encoding modes and increases capacity up to 4,296 alphanumeric characters in some versions.

The pandemic made QR checks routine because organisations had to confirm people’s COVID status quickly at scale in airports, borders and at workplace entrances.

These checks were often done in places without reliable network connection or direct access to the issuing health database. The checker of the code (the ‘relying party’) needed a method that was fast, consistent, and didn’t require contacting the issuer every time someone presented a vaccination certificate.

It also reduced dependence on scarce chip-based components at a time when COVID-era supply disruptions made semiconductor availability unpredictable.

So the design moved the verification of the data into the QR itself. The code carried the person’s relevant details (eg. vaccination, test and recovery data) plus a tamperproof stamp applied by the issuing authority. The scanner app could then verify that stamp using the authority’s published verification key, confirming both who had issued the certificate and that the data hadn’t been changed, even when offline.

On ID cards

Barcodes on ID cards are already widely used, mainly for practical reasons. They let staff scan details quickly instead of typing long numbers, which reduces mistakes and speeds up checks.

What a barcode can hold depends on how it is designed. A basic barcode might contain only an ID number. A more advanced code can carry key personal details, such as name, date of birth, card number and expiry date, and in some designs even a portrait image.

The main weakness of barcodes is that they can be copied as images. A copied barcode will still scan. The way to reduce this risk is to make the barcode carry data that is (1) protected against editing and (2) linked to the person presenting the card. The first part is done with the issuer’s digital signature. The second part can be done by including a portrait in the code and comparing it to the holder.

Barcodes and chips

Barcodes can be used alongside chips. The chip is best for higher-security functions, but the barcode is useful for quick camera-based checks, offline backup, and broad compatibility where chip readers are not available.

But codes are also finding uses where they stand alone without a chip.

This can make sense for documents used only in domestic settings. If a credential does not need to interoperate internationally or comply with travel document standards, the issuer has more freedom to choose the verification architecture.

In many domestic schemes, authenticity is normally checked against a centralised database; a barcode can still support that model by carrying an identifier that resolves to the holder’s record. Alternatively, the issuer can push more assurance into the barcode itself by embedding the core identity attributes plus an issuer digital signature, enabling consistent verification even when the relying party has limited connectivity.

The industry is moving beyond ‘signed data’ into ‘signed biometric binding’. This newsletter’s October 2025 feature on FaceTec’s UR® Codes described a 2D barcode carrying a digitally signed face vector bound to identity attributes, verified locally with liveness detection. The aim here is to replace human judgement with cryptographically verifiable issuer authenticity and holder binding.

To accommodate the changes in technology, issuers are changing rules to allow substitution. In February, Pakistan’s National Database & Registration Authority authorised use of a ‘QR code or any other technological feature’ in lieu of the current microchip, enabling new verification methods without repeated changes to legalisation.

Some procurement projects are now moving towards ‘chipless by design’ ID cards. The Rwanda Information Society Authority published tender documents this year for a Single Digital Identity (SDID) card printing and personalisation system 1.

In the tender requirements, the SDID card is built around a QR code on the card rather than an electronic chip. The QR code is intended to carry the person’s key identity details and a tamperproof issuer stamp (a digital signature).

The issuer generates the signature using strong cryptography (RSA-2048 or ECDSA P-256) and protects the signing keys inside certified secure hardware. The baseline design explicitly excludes a chip and contactless module – so no embedded chip/antenna inlay is required.

Cost considerations

Part of the drive towards the expanded use of barcodes is to do with cost. Inlay components are a significant part of the overall cost of production of ID and travel documents and must be validated against different card constructions, making qualification both lengthy and expensive. A digitally signed QR code can reduce reliance on costly chip-and-antenna parts by letting some checks be done with ordinary cameras.

A barcode can also reduce supplier lock-in. Once a chip-based scheme is deployed, changing the system integrator or chip/inlay supply chain can be difficult because the credential design is tightly coupled to specific components. With a chipless document, more of the security can be anchored in the issuer’s signing keys and verification rules rather than in a particular chip module, which can make it easier for a government to change supplier if procurement conditions change.

Barcodes will not ‘kill off’ chips. Chips remain unrivalled where secure elements, on-card keys and robust protocols are required. But the barcode is establishing a distinct niche for itself: low-cost, offlineverifiable, smartphone-readable credentials with cryptographic integrity and, increasingly, biometric holder binding.

How Barcodes Encode Data

1D (linear) barcodes encode data in a single direction using parallel bars and the spaces between them. Each character is represented by a specific pattern of dark bars and light gaps where the widths and their sequence carry the information.

As an example, the character ‘A’ might be encoded as bar (wide), space (narrow), bar (narrow), space (wide), bar (narrow), space (narrow), bar (wide), space (narrow), bar (narrow).


A scanner doesn’t ‘see A’; it measures the sequence of wide/narrow bars and spaces, then looks up which character that pattern corresponds to.

2D barcodes extend this idea into two dimensions. Instead of widths on one line, data is stored in a grid of tiny squares (modules) or stacked rows. This greatly increases capacity and allows error correction so the code can still be read if it’s scratched or partly obscured.

A QR code is a 2D symbol with distinctive finder squares in three corners and timing/alignment patterns. The reader locates and de-skews the grid, samples each module as black/ white, then applies error correction to recover the payload (text or binary data).

www.qrcode.com/en/history

1 - www.risa.gov.rw/fileadmin/user_upload/RISA/Publications/Tenders/SPD-Card_Printing_and_Personalization_System_and_related_con-sumables-with_AT_HR_comments-26-02-2026-Comb_T_and_P_comments-Approved_version-17-03-2026-Final_approved.pdf