Imagine you sell 500 tickets to your festival. Three weeks later someone posts the QR code of their ticket in a WhatsApp group. By the time the doors open on Saturday, 50 people have saved it. You have no way to notice – and no way to stop it at the entrance.
This isn't a worst-case scenario. This is the current state of the art with classic QR code tickets.
Why a QR Code Offers No Security
A QR code is nothing more than a machine-readable representation of a string – typically a URL or an ID. The scanning system then checks a database: does this ID exist? Has it already been redeemed?
That sounds like security. But it has three fundamental weaknesses:
Problem 1 – Copyability: A QR code is an image file. Screenshot → Share → done. The image is identical, the ID is the same.
Problem 2 – Race Condition: At entry, it comes down to who scans first. The first one in wins. The ticket buyer can be left out.
Problem 3 – Offline Blindness: If the scanner works offline, it can only verify whether the code has a valid format – not whether it has already been redeemed.
The Scale of the Problem
Ticket fraud in Europe is not a fringe issue. The EUIPO estimates annual damages from forged or duplicated admission tickets at over €500 million.
| Attack scenario | Classic QR code | Entryix (signed) |
|---|---|---|
| Share screenshot | Works – identical ID | Invalid – signature is device-bound |
| Print QR code | First to scan wins | Invalid – ECDSA check fails |
| Resell ticket | Uncontrolled resale possible | Only via authorized transfer |
| Offline entry | No duplicate detection | Signature verifiable locally |
| Forge ticket | Possible with image editing | Mathematically impossible |
How Cryptographic Signatures Solve This
Entryix uses ECDSA signatures based on the ISO-18013-5 standard – the same standard that underpins the digital EU driver's license. At entry, the scanner checks: Is the signature valid? Was it created with the correct key? Does it match exactly these ticket data?
If even a single character in the ticket is changed – or if someone tries to transfer the signature – the check fails irrevocably. This is not a security policy, but mathematics.
Result: A screenshot of an Entryix ticket is worthless. The QR code contains a signature that was created for exactly this ticket.
What About Offline Capability?
Because the signature is fully contained within the QR code, the scanner needs to make no database query. The cryptographic check happens locally on the scanner device – no internet, no server, no latency.
More about the technical standard: What Is the EU Digital Identity Wallet?
Start Using Forgery-Proof Tickets Now
Free in beta. No contract. Live in under 5 minutes.
Reserve Your Pilot Spot →