For an app (Android & iOS) project, registration is needed, before being able to login. This is done by scanning a QR code
containing a one-time password
on the associated webpage, using a camera feature in the app.
The flow on web is: see info about app and app store link -> show QR -> set pin code -> confirm.
I want to create a mechanism, to avoid someone from opening the registration flow and then leaving his desk (e.g. going for a coffee at the office) for a while. Otherwise some 'attacker' could complete the QR step, and when the original user returns to his desk, he will set a pin and confirm. Possibly not realising that there was ever a QR step. Even though the 'attacker' will not know the PIN, the wrong device will be registered. So the original user will not be able to use his app.
Currently there is a time limit of 1 minute. But the QR can be reloaded with a new OTP, so it does not have much effect.
I dont think this is really possible, since QR codes can be arbitrary sizes, so i dont think there is a way to know how close or far a QR code really is, so cant really prevent an 'over the shoulder'. In any case if the user did walk away, then there really is no real way to differentiate an attacker or a real user because the attacker could get as close as they want technically.
Also what if the attacker scanned the code and set the pin while the user was away? I dont foresee this being a very secure method of registration, but it would be convenient. depends what an attacker could actually do with the app, if its a banking app i would not recommend this, but like if its a my little pony game, the reward outweighs the risk i think.