Connected Product Security: Beyond QR Code Authentication
Key Takeaways
- A standard QR code is not authentication — it is a URL that any counterfeiter can copy in minutes. Real product security requires four distinct layers working together.
- The four layers are: serialisation (random, non-sequential GS1 SGTIN identifiers), server-side verification (contextual scan analysis), cryptographic signing (unforgeable proof of manufacture origin), and physical tamper-evidence (destructive carriers that cannot be moved without detection).
- Fraudulent warranty claims cost manufacturers an estimated 10–15% of total warranty spend — cryptographic ownership verification combined with scan history analysis addresses this without adding friction for legitimate customers.
- For products priced above $100 in categories with documented counterfeiting, a complete product security stack typically delivers positive ROI within the first year from warranty fraud reduction alone.
A QR code printed on a luxury handbag, a pharmaceutical package, or an industrial component is not security. It is a URL. Anyone with a printer and five minutes can duplicate it exactly.
This is the uncomfortable reality behind a significant portion of what the market calls "connected product authentication." Brands place QR codes on products, promote them as anti-counterfeiting features, and believe the problem is addressed. Meanwhile, counterfeiters print identical codes on identical-looking packages and sell them through the same channels.
| Key Metric | Static QR Code | Server-Verified | Cryptographically Signed | Full Stack (+ tamper-evident) |
|---|---|---|---|---|
| Counterfeiter effort to duplicate | <5 minutes | Weeks (requires key access) | Impossible (no private key) | Impossible + expensive |
| Detectability of copied serial | None | Pattern analysis reveals | Cryptographic failure | Visual + digital failure |
| Fraud resistance | 0% | 85–95% | 99%+ | 99%+ |
| Implementation complexity | Minimal | Moderate | High | Very high |
| Typical use cases | Marketing, information | Mid-market brands, FMCG | Luxury, pharma, regulated goods | High-value, high-fraud-risk |
Product Security Competitors
The authentication market is fragmented. Brij, Registria, and Scantrust each specialize in cryptographic anti-counterfeiting. Narvar and parcelLab focus on post-delivery tracking, not authentication. NeuroWarranty and Dyrect emphasize warranty fraud detection. BrandedMark differentiates by combining product identity with optional cryptographic signing, creating a security layer that scales from simple authentication (QR verification) to full cryptographic proof, all integrated within a Product OS that also handles warranty, support, and parts commerce. Most competitors are point solutions; BrandedMark is infrastructure.
The global trade in counterfeit goods is estimated at $4.5 trillion annually by the OECD (according to the OECD/EUIPO report "Trends in Trade in Counterfeit and Pirated Goods"). It is not being solved by static QR codes. It is not being dented by them. And yet the conflation of "connected product" with "secure product" persists across marketing materials and boardroom presentations, creating a false sense of security while leaving products, customers, and brands genuinely exposed.
Real connected product security is not a single technology. It is a stack — four layers that work together to make product authentication meaningful rather than theatrical. Understanding each layer is the starting point for any brand that takes the problem seriously.
Layer 1: Serialisation — The Foundation That Almost Everyone Gets Wrong
Before any other security mechanism can function, each product instance needs a unique identifier. Not a model code. Not a batch number. A unique serial number that identifies this specific unit, distinct from every other unit ever made.
This sounds obvious. In practice, most manufacturers do not do it properly.
The problems are structural. Serial numbers are often assigned at the model or batch level rather than the unit level. They are sequential and therefore predictable — a counterfeiter who knows one valid serial number can generate the next thousand. They are not cryptographically bound to any product record, meaning a valid serial number can be placed on a counterfeit unit with no technical mechanism to detect the mismatch.
Proper serialisation for connected product security requires three things that standard ERP serial tracking does not provide:
Random, non-sequential identifiers. If serial numbers are predictable, they provide no security guarantee. A serial space that cannot be enumerated means a counterfeit unit cannot carry a valid identifier without having physically registered that identifier with the manufacturer's system.
GS1 SGTIN format. The Serialised Global Trade Item Number (SGTIN) combines a product's GTIN with a unique serial component, creating a globally unambiguous product identity that integrates with supply chain verification infrastructure. This is not a proprietary format — it is the international standard, and using it means product identities are interoperable with retailer systems, customs authorities, and regulatory databases.
Binding to a server-side record at manufacture. The serial number must exist in a manufacturer-controlled database before the product ships. Authentication cannot rely on what is printed on the label — it must verify against a record that only the manufacturer could have created.
This last point is the difference between a serial number as a label and a serial number as a cryptographic claim. The former can be copied. The latter requires access to a system the counterfeiter does not have.
Layer 2: Server-Side Verification — Making the Connection Real
A serialised product identity only provides security if it is verified against a server the counterfeiter cannot control. This is where the architecture of QR code authentication matters enormously.
What a Static QR Code Actually Does
When a consumer scans a standard QR code, their device resolves a URL and loads a web page. The security of that interaction depends entirely on whether the URL itself is secure — and for a static QR code printed on a product, the URL is identical for every product of that type. Scanning the code on a counterfeit product loads the same page as scanning the code on a genuine one.
Some brands add a serial number to the URL, so each product has a unique link. This is better, but still not authentication. The URL is visible on the code and can be copied. The verification system, if it simply loads a page for any valid-looking URL structure, can be spoofed by anyone who understands the URL pattern.
Real server-side verification works differently. When a product is scanned, the request reaches the manufacturer's authentication server with the product's unique identifier. The server checks that identifier against the database of identifiers created at manufacture. It records the scan event — when, where, and on what device. And crucially, it evaluates the scan event in context.
Contextual Scan Analysis
A product that was manufactured in Stuttgart and sold by a retailer in Munich should not, in the normal course of events, be scanned simultaneously in Dubai and São Paulo. When a counterfeit carries a copied identifier, and both the genuine product and the counterfeit are in active use, scan pattern analysis reveals the anomaly.
This is not exotic fraud detection. It is basic contextual logic: a single product identity should have a coherent geographic and temporal pattern. Deviations from that pattern are signals. At scale — across hundreds of thousands of products — these signals resolve into actionable intelligence about where in the supply chain counterfeiting is occurring and which product lines are most targeted.
Server-side verification also enables scan-count security. A product whose identifier has been scanned 40,000 times is almost certainly counterfeit regardless of whether any individual scan fails a validity check. The server-side system tracks this; a static code on packaging cannot.
Layer 3: Cryptographic Signing — Proof That Cannot Be Forged
Server-side verification confirms that an identifier exists in a database. Cryptographic signing goes further: it provides mathematical proof that the identifier was created by a specific key holder — a proof that cannot be replicated without access to the private key.
This is the technology that secures HTTPS connections, code-signing certificates, and document authenticity. Applied to product identity, it means that a product's digital identity contains a cryptographic signature that can only have been generated by the manufacturer's signing key.
How Product-Level Signing Works
At manufacture, each product's identity record is signed using the manufacturer's private key. The signature is embedded in the product's digital identity — typically encoded in the QR code or NFC chip alongside the serial identifier. When a consumer or verifier scans the product, their device or the verification server can confirm the signature against the manufacturer's public key without needing to transmit the private key or access the signing system.
The result is authentication that does not rely on database connectivity for its core security guarantee. Even in an offline context — an inspector in a warehouse with poor connectivity, a customs official at a border point — the cryptographic signature on a product can be verified against a published public key. A counterfeit carrying a copied identifier will fail signature verification unless the counterfeiter has the manufacturer's private key, which they do not.
For high-value goods, pharmaceutical products, and any product subject to regulatory compliance requirements, cryptographic signing is the baseline for credible anti-counterfeiting claims. It is the difference between "this identifier exists in our database" and "this identifier was created by us."
The Passkey Connection
The same cryptographic infrastructure that enables product authentication also enables a more sophisticated form of ownership verification — and this is where passkeys for product identity become relevant.
WebAuthn passkeys, the standard underlying modern passwordless authentication, use device-bound cryptographic keys to prove identity without transmitting secrets. Applied to product ownership, a consumer who registers a product can bind their ownership claim to a passkey on their device. Subsequent interactions — warranty claims, ownership transfers, support requests — can be verified cryptographically, not just by checking whether someone knows an account password.
This is ownership proof at a level that traditional warranty registration cannot provide. When a customer submits a warranty claim, the system can verify not just that they have an account associated with the product, but that they are physically in possession of a device that was present at registration. The bar for fraudulent warranty claims — already low for most manufacturers — becomes significantly higher without adding friction for legitimate customers.
Layer 4: Physical Tamper-Evidence — Closing the Hardware Gap
Cryptography secures the digital identity. Physical tamper-evidence addresses the hardware gap: the possibility that an authentic identity carrier — a QR code label, an NFC chip, a printed code — is removed from a genuine product and placed on a counterfeit.
This is the attack vector that pure digital security cannot prevent. If the carrier of a product's digital identity can be physically moved, then a counterfeiter who obtains one genuine product can use its identity to authenticate many counterfeit ones.
Physical tamper-evidence mechanisms address this by making the identity carrier destructive to remove. Void labels that display "OPENED" or "VOID" on removal. Destructive NFC substrates that disable the chip when peeled. Labels with sub-surface optically variable features that cannot survive removal and reapplication. These mechanisms do not make counterfeiting impossible — determined, well-resourced operations can overcome them — but they substantially raise the cost and complexity of the attack.
For most product categories, the combination of serialised identity, server-side verification, and cryptographic signing makes counterfeiting economically unattractive even without physical tamper-evidence. The additional layer is most valuable for high-margin goods where the economics of counterfeiting justify significant investment.
The practical point for product managers is that physical and digital security are complementary, not substitutes. A product with sophisticated digital authentication but easily removable labels has a known vulnerability. A product with excellent physical tamper-evidence but no server-side verification is verifiable at point of manufacture but not in the field.
The Business Case for Product Security
Most discussions of product authentication frame security as a cost — a compliance requirement or a defensive investment against brand damage. The complete business case is more interesting.
Warranty fraud reduction. Fraudulent warranty claims cost manufacturers an estimated 10–15% of total warranty spend (based on BrandedMark's analysis of warranty claim patterns across connected product programs). Cryptographic ownership verification, combined with scan history analysis, identifies claims where the stated ownership cannot be verified and where scan patterns suggest the product is not what it is claimed to be.
Grey market visibility. Products sold into authorised channels in one region consistently appearing in scan data from other regions are almost certainly being diverted through grey market distribution. Server-side scan analytics surface this in near-real time, before the grey market pricing has undermined the authorised channel.
Customs and regulatory support. Regulatory authorities in the EU, US, and major Asian markets increasingly accept cryptographically verified product identity as evidence of authenticity in customs disputes and product safety investigations. Manufacturers with robust digital authentication infrastructure can provide this evidence; those without it rely on documentation that is easier to dispute.
Customer trust at scale. Consumers who scan a product and receive a clear, credible authenticity verification — not just a brand landing page, but a confirmation tied to a specific unit's manufacture and chain of custody — report higher purchase confidence and higher likelihood of repeat purchase. The experience itself is a brand differentiator in categories where counterfeiting is known.
For a product with a retail price above $100, in a category with documented counterfeiting activity, the ROI on a complete product security stack is typically positive within the first year from warranty fraud reduction alone. The grey market and brand value effects make the case substantially stronger.
What a Secure Connected Product Looks Like
Putting the four layers together, a genuinely secure connected product has identifiable characteristics that distinguish it from a product with cosmetic security features.
At manufacture: Each unit is assigned a random, non-sequential SGTIN-format serial identifier. A cryptographically signed identity record is created and bound to the serial. The identifier is embedded in a tamper-evident carrier — a destructive QR label, an embedded NFC chip, or both.
At distribution: Scan events in the supply chain are recorded against the product's identity record, establishing a chain of custody that can be audited if the product is later suspected of diversion.
At point of sale: A consumer scan resolves to an authentication server that verifies the serial, checks scan history for anomalies, confirms the cryptographic signature, and returns a verification result. The entire process takes under two seconds and requires no special app.
Post-purchase: The consumer's registration binds their ownership claim to their device credentials. Subsequent warranty claims, ownership transfers, and support interactions are verified against that binding. The product's scan history continues to accrue, providing ongoing signals about geographic location, usage patterns, and potential fraud indicators.
At end of life: The product's complete digital history — all scan events, ownership transfers, service records, and compliance documentation — is available for digital product passport requirements, circular economy programmes, and parts certification.
This is not a theoretical architecture. It is deployable today, on products that already carry QR codes, without hardware changes at the factory level. The investment is in the platform infrastructure and the key management practices — both of which are well within the reach of any manufacturer serious about product security.
The Security Standard Is Moving Up
The important thing to understand about connected product security is that the bar is rising, driven by regulation and by market expectations, whether or not individual manufacturers choose to raise it themselves.
The EU's product safety and digital product passport regulations are building an environment in which products without verifiable digital identities will face increasing friction in authorised channels. Retailers, particularly in electronics and luxury goods, are beginning to require serialised digital identity as a listing condition. Customs authorities are developing technical capacity to verify cryptographic product signatures at border inspection points.
The brands that treat QR code security as a static feature — print a code, call it done — will find themselves with a growing compliance gap and a widening disadvantage relative to competitors who built genuine security infrastructure.
The brands that understand product security as a layered system — serialisation, server-side verification, cryptographic signing, physical tamper-evidence — are building something more durable: a product identity infrastructure that works harder over time, accumulates intelligence with every scan, and serves as the foundation for every connected product capability they build on top of it.
A QR code is not authentication. But the infrastructure behind it can be — if you build it right.
FAQ: Connected Product Security
Do I need cryptographic signing if my primary concern is warranty fraud, not counterfeiting?
No. Warranty fraud mitigation requires registration timing data, scan pattern analysis, and claim history tracking—all server-side functions that don't require cryptographic signing. Cryptographic signing is most valuable for high-margin or high-fraud-risk products (luxury goods, pharmaceuticals, regulated components). For typical durable goods, serialisation + server-side verification + scan pattern analysis solves 90% of fraud risk at a fraction of the complexity.
How do I implement cryptographic signing without slowing down manufacturing?
Signing happens post-manufacture, typically during packaging or quality assurance. The product receives its serial identifier and associated metadata during manufacturing. The signing key (stored securely in an HSM, Hardware Security Module) is used to sign the product record in the digital system, not at the physical production line. This is a database operation, not a manufacturing operation—no slowdown required.
What's the cost difference between static QR codes and fully secured product identities?
Static QR codes: near zero cost at scale (pennies per code). Serialised identity without cryptography: $0.10–0.30 per product (unique code generation, database record). Cryptographically signed identity: $0.20–0.50 per product (signing overhead, key management). For a manufacturer shipping 1 million units annually, the difference between basic serialisation and cryptographic signing is $100K–$300K annually—typically justified by fraud risk reduction on high-value product lines or premium categories.
If I implement security infrastructure, do I need to retrofit existing products already in the field?
No. Future products carry the new security infrastructure. Existing products remain in place with whatever security level they currently have. You can bridge the gap by offering optional re-registration or re-serialisation for high-value products still under warranty, but it's not necessary for the security infrastructure to have business value—it compounds as new units ship with stronger identity and verification.
BrandedMark provides serialised GS1 Digital Link identity, server-side scan verification, and cryptographically signed product records as core platform capabilities — not add-ons. Security is part of the Product OS from the first product deployed.