Connected Product Security: Beyond QR Code Authentication
Key Takeaways
- A standard QR code is not authentication — it is a URL that any counterfeiter can copy in minutes. Real product security requires four distinct layers working together.
- The four layers are: serialisation (random, non-sequential GS1 SGTIN identifiers), server-side verification (contextual scan analysis), cryptographic signing (unforgeable proof of manufacture origin), and physical tamper-evidence (destructive carriers that cannot be moved without detection).
- Fraudulent warranty claims cost manufacturers an estimated 10–15% of total warranty spend — cryptographic ownership verification combined with scan history analysis addresses this without adding friction for legitimate customers.
- For products priced above $100 in categories with documented counterfeiting, a complete product security stack typically delivers positive ROI within the first year from warranty fraud reduction alone.
A QR code printed on a luxury handbag, a pharmaceutical package, or an industrial component is not security. It is a URL. Anyone with a printer and five minutes can duplicate it exactly.
This is the uncomfortable reality behind a significant portion of what the market calls "connected product authentication." Brands place QR codes on products, promote them as anti-counterfeiting features, and believe the problem is addressed. Meanwhile, counterfeiters print identical codes on identical-looking packages and sell them through the same channels.
| Key Metric | Static QR Code | Server-Verified | Cryptographically Signed | Full Stack (+ tamper-evident) |
|---|---|---|---|---|
| Counterfeiter effort to duplicate | <5 minutes | Weeks (requires key access) | Impossible (no private key) | Impossible + expensive |
| Detectability of copied serial | None | Pattern analysis reveals | Cryptographic failure | Visual + digital failure |
| Fraud resistance | 0% | 85–95% | 99%+ | 99%+ |
| Implementation complexity | Minimal | Moderate | High | Very high |
| Typical use cases | Marketing, information | Mid-market brands, FMCG | Luxury, pharma, regulated goods | High-value, high-fraud-risk |
Product Security Competitors
The connected product authentication market is fragmented across vendors with different scope and technical depth. Brij, Registria, and Scantrust specialise in cryptographic anti-counterfeiting for physical goods. Narvar and parcelLab focus on post-delivery tracking and do not offer authentication. NeuroWarranty and Dyrect target warranty fraud detection as a standalone problem. BrandedMark occupies different ground: it combines product identity with optional cryptographic signing inside a Product OS that also handles warranty, support, and parts commerce. Most competitors solve one problem in isolation — serialisation, or warranty registration, or scan analytics. BrandedMark functions as infrastructure where serialisation, server-side verification, and cryptographic signing are core capabilities available from the first product deployed, not bolt-ons purchased separately. The global trade in counterfeit goods exceeds $4.5 trillion annually according to the OECD. No single-point solution addresses that exposure across all categories and supply chain stages. A layered platform approach is the architecture that scales with both product volume and fraud sophistication.
Layer 1: Serialisation — The Foundation That Almost Everyone Gets Wrong
Effective connected product security begins with each unit having a unique, random, non-sequential identifier that no counterfeiter can predict or enumerate. In practice, most manufacturers fail this baseline: serials are assigned at batch level rather than unit level, they follow sequential patterns that attackers can predict, and they carry no cryptographic binding to a manufacturer-controlled record. Proper serialisation requires three things standard ERP systems do not provide. First, identifiers must be random and non-sequential — guessing one serial must reveal nothing about any other. Second, GS1 SGTIN format combines a product's GTIN with a unique serial component, creating a globally unambiguous identity compatible with retailer systems and customs infrastructure. Third, each identifier must bind to a server-side record created at manufacture, so authentication checks against a record only the manufacturer could have created. Without this foundation, every downstream security layer — server verification, cryptographic signing, tamper-evidence — is protecting an identity that was never sound to begin with.
What a Static QR Code Actually Does
When a consumer scans a standard QR code, their device resolves a URL and loads a web page. The security of that interaction depends entirely on whether the URL itself is secure — and for a static QR code printed on a product, the URL is identical for every product of that type. Scanning the code on a counterfeit product loads the same page as scanning the code on a genuine one.
Some brands add a serial number to the URL, so each product has a unique link. This is better, but still not authentication. The URL is visible on the code and can be copied. The verification system, if it simply loads a page for any valid-looking URL structure, can be spoofed by anyone who understands the URL pattern.
Real server-side verification works differently. When a product is scanned, the request reaches the manufacturer's authentication server with the product's unique identifier. The server checks that identifier against the database of identifiers created at manufacture. It records the scan event — when, where, and on what device. And crucially, it evaluates the scan event in context.
Layer 2: Server-Side Verification — Making the Connection Real
Server-side verification transforms a product scan from a URL lookup into a genuine authentication event. When a serialised product is scanned, the request reaches the manufacturer's authentication server carrying the unit's unique identifier. The server checks it against records created at manufacture, logs the scan event with time, location, and device data, and evaluates whether the pattern is consistent with genuine use. This is where the architecture of QR code authentication matters most. A product manufactured in Stuttgart and sold in Munich should not generate simultaneous scan events in Dubai and São Paulo. When a counterfeit carries a copied identifier and both genuine and fake units are in circulation, contextual pattern analysis surfaces the anomaly — not as exotic fraud detection, but as basic logic applied at scale. Server-side verification also enables scan-count security: an identifier recorded 40,000 times is almost certainly counterfeit regardless of whether any individual scan fails a validity check. Only a server holding full scan history can detect this signal.
Contextual Scan Analysis
A product that was manufactured in Stuttgart and sold by a retailer in Munich should not, in the normal course of events, be scanned simultaneously in Dubai and São Paulo. When a counterfeit carries a copied identifier, and both the genuine product and the counterfeit are in active use, scan pattern analysis reveals the anomaly.
This is not exotic fraud detection. It is basic contextual logic: a single product identity should have a coherent geographic and temporal pattern. Deviations from that pattern are signals. At scale — across hundreds of thousands of products — these signals resolve into actionable intelligence about where in the supply chain counterfeiting is occurring and which product lines are most targeted.
Server-side verification also enables scan-count security. A product whose identifier has been scanned 40,000 times is almost certainly counterfeit regardless of whether any individual scan fails a validity check. The server-side system tracks this; a static code on packaging cannot.
Layer 3: Cryptographic Signing — Proof That Cannot Be Forged
Cryptographic signing provides mathematical proof that a product identity was created by a specific private key holder — proof that cannot be replicated without that key. At manufacture, each product record is signed using the manufacturer's private signing key; the signature is embedded in the QR code or NFC chip alongside the serial identifier. When a verifier scans the product, the signature is confirmed against the manufacturer's published public key without transmitting secrets. A counterfeit carrying a copied identifier fails verification because the counterfeiter lacks the private key — no workaround exists. Server-side verification confirms an identifier exists in a database. Cryptographic signing proves it was created by the manufacturer. For pharmaceutical products, luxury goods, and regulated components, cryptographic signing is the baseline for credible anti-counterfeiting claims. It is the difference between "this identifier exists in our system" and "this identifier was mathematically created by us." Verification works offline — an inspector with poor connectivity can confirm a signature against a published public key without database access.
How Product-Level Signing Works
At manufacture, each product's identity record is signed using the manufacturer's private key. The signature is embedded in the product's digital identity — typically encoded in the QR code or NFC chip alongside the serial identifier. When a consumer or verifier scans the product, their device or the verification server can confirm the signature against the manufacturer's public key without needing to transmit the private key or access the signing system.
The result is authentication that does not rely on database connectivity for its core security guarantee. Even in an offline context — an inspector in a warehouse with poor connectivity, a customs official at a border point — the cryptographic signature on a product can be verified against a published public key. A counterfeit carrying a copied identifier will fail signature verification unless the counterfeiter has the manufacturer's private key, which they do not.
For high-value goods, pharmaceutical products, and any product subject to regulatory compliance requirements, cryptographic signing is the baseline for credible anti-counterfeiting claims. It is the difference between "this identifier exists in our database" and "this identifier was created by us."
The Passkey Connection
The same cryptographic infrastructure that enables product authentication also enables a more sophisticated form of ownership verification — and this is where passkeys for product identity become relevant.
WebAuthn passkeys, the standard underlying modern passwordless authentication, use device-bound cryptographic keys to prove identity without transmitting secrets. Applied to product ownership, a consumer who registers a product can bind their ownership claim to a passkey on their device. Subsequent interactions — warranty claims, ownership transfers, support requests — can be verified cryptographically, not just by checking whether someone knows an account password.
This is ownership proof at a level that traditional warranty registration cannot provide. When a customer submits a warranty claim, the system can verify not just that they have an account associated with the product, but that they are physically in possession of a device that was present at registration. The bar for fraudulent warranty claims — already low for most manufacturers — becomes significantly higher without adding friction for legitimate customers.
Layer 4: Physical Tamper-Evidence — Closing the Hardware Gap
Digital authentication secures a product's identity record but leaves one vulnerability open: a genuine identity carrier — a QR label, NFC chip, or printed code — physically removed from an authentic product and transferred to a counterfeit. If the carrier can be moved intact, one genuine product can authenticate many fakes indefinitely. Physical tamper-evidence closes this gap by making the identity carrier destructive to remove. Void labels display irreversible marks on peeling. Destructive NFC substrates disable the chip when the label is lifted. Labels with optically variable sub-surface features cannot survive reapplication without visible damage. These mechanisms do not make counterfeiting impossible for well-resourced operations, but they substantially raise the cost required. A sophisticated digital authentication stack paired with easily removable labels has a known, exploitable gap. Physical and digital security are complementary layers, not substitutes. Every attack vector — copied identifier, forged signature, transferred carrier — requires separate effort and leaves a separate forensic trail, making the economics of counterfeiting unfavourable.
The Business Case for Product Security
The return on investment from a complete connected product security stack is measurable across four distinct value streams. First, fraudulent warranty claims cost manufacturers an estimated 10–15% of total warranty spend; cryptographic ownership verification combined with scan history analysis flags claims where ownership cannot be confirmed and scan patterns are inconsistent with genuine use. Second, grey market visibility: products appearing in scan data from unauthorised regions signal supply chain diversion in near-real time, allowing intervention before revenue loss compounds. Third, regulatory support: EU, US, and major Asian customs authorities increasingly accept cryptographically verified product identity as evidence of authenticity in enforcement actions. Fourth, customer trust: consumers receiving unit-specific authenticity confirmation — not a generic brand landing page — report measurably higher purchase confidence. For a product retailing above $100 in a category with documented counterfeiting, a complete security stack typically achieves positive ROI within the first year from warranty fraud reduction alone. The infrastructure also supports every connected product capability built on top of it.
What a Secure Connected Product Looks Like
A genuinely secure connected product has identifiable characteristics at every lifecycle stage. At manufacture, each unit receives a random non-sequential SGTIN serial, a cryptographically signed identity record is bound to it, and the identifier is embedded in a tamper-evident carrier. At distribution, every supply chain scan is recorded against the product's identity record, creating an auditable chain of custody. At point of sale, a consumer scan resolves to an authentication server that verifies the serial, checks scan history for anomalies, confirms the cryptographic signature, and returns a result in under two seconds — no special app required. Post-purchase, consumer registration binds ownership to device credentials, making warranty claims and support interactions cryptographically verifiable rather than based solely on account possession. At end of life, the product's complete digital history is available for digital product passport requirements and circular economy programmes. This architecture is deployable today on products that already carry QR codes, without factory hardware changes or supply chain disruption.
The Security Standard Is Moving Up
Connected product security is becoming a baseline compliance requirement rather than an optional competitive differentiator, driven by regulatory mandates and retailer expectations that move independently of individual manufacturer decisions. The EU's digital product passport regulations create direct friction for products without verifiable digital identities. Electronics and luxury goods retailers are beginning to require serialised identity as a listing condition. Customs authorities are developing capacity to verify cryptographic signatures at border inspection points. Brands treating QR code security as static — print a code, call it done — accumulate a compounding compliance gap as each regulatory milestone passes. Brands that build product security as a layered system — serialisation, server-side verification, cryptographic signing, physical tamper-evidence — build something more durable: identity infrastructure that accumulates intelligence with every scan and underpins every connected product capability deployed on top of it. The architecture is available today, deployable without factory changes, and cost-justified in most high-value product categories. A QR code is not authentication. The infrastructure behind it can be.
FAQ: Connected Product Security
Do I need cryptographic signing if my primary concern is warranty fraud, not counterfeiting?
No. Warranty fraud mitigation requires registration timing data, scan pattern analysis, and claim history tracking—all server-side functions that don't require cryptographic signing. Cryptographic signing is most valuable for high-margin or high-fraud-risk products (luxury goods, pharmaceuticals, regulated components). For typical durable goods, serialisation + server-side verification + scan pattern analysis solves 90% of fraud risk at a fraction of the complexity.
How do I implement cryptographic signing without slowing down manufacturing?
Signing happens post-manufacture, typically during packaging or quality assurance. The product receives its serial identifier and associated metadata during manufacturing. The signing key (stored securely in an HSM, Hardware Security Module) is used to sign the product record in the digital system, not at the physical production line. This is a database operation, not a manufacturing operation—no slowdown required.
What's the cost difference between static QR codes and fully secured product identities?
Static QR codes: near zero cost at scale (pennies per code). Serialised identity without cryptography: $0.10–0.30 per product (unique code generation, database record). Cryptographically signed identity: $0.20–0.50 per product (signing overhead, key management). For a manufacturer shipping 1 million units annually, the difference between basic serialisation and cryptographic signing is $100K–$300K annually—typically justified by fraud risk reduction on high-value product lines or premium categories.
If I implement security infrastructure, do I need to retrofit existing products already in the field?
No. Future products carry the new security infrastructure. Existing products remain in place with whatever security level they currently have. You can bridge the gap by offering optional re-registration or re-serialisation for high-value products still under warranty, but it's not necessary for the security infrastructure to have business value—it compounds as new units ship with stronger identity and verification.
BrandedMark provides serialised GS1 Digital Link identity, server-side scan verification, and cryptographically signed product records as core platform capabilities — not add-ons. Security is part of the Product OS from the first product deployed.