Barcode Ticket
Guide · 6 min read

Ticket security, honestly.

No barcode is unforgeable on its own. Ticket security is the sum of several independent layers, and understanding each one is the fastest way to see what the system can and cannot do.

Layer 1: unguessable identifiers

Every ticket carries a random identifier, usually 128 bits or more. The number of possible values is vastly larger than the number of tickets that will ever be issued, so guessing a valid ID is computationally infeasible.

On its own this does not stop anything — but it means that every attack has to start from a real ticket rather than an invented one.

Layer 2: single-use validation

The back-end system records every successful scan and marks the ID as used. Subsequent attempts with the same ID are rejected, whether they come from the same device or a different one.

This is the layer that defeats casual duplication: screenshot, forward, share — only the first copy through the gate gets in.

Layer 3: cryptographic signatures

The barcode payload can include a digital signature over the ticket details. The scanner verifies the signature with a public key it holds in advance, so it can detect tampering without contacting a server.

Signed payloads protect against two threats:

  • A forged ticket that happens to decode correctly — the signature will not verify.
  • A tampered real ticket (changing the seat or the date) — altering the payload invalidates the signature.

IATA’s boarding pass standard (BCBP) supports signed codes. Many large-venue ticketing platforms sign their QR payloads as well.

Layer 4: rotating and time-bound codes

For tickets where resale is a serious concern — flights, cup finals, some transit — the code itself is short-lived. The issuer’s app generates a fresh code every 30 or 60 seconds, so any screenshot becomes invalid before it can be resold.

Rotating codes require the issuer’s app (or wallet pass with live updates) and a clock sync between the device and the scanner. They do not prevent someone from scanning your live screen at the gate, but that requires physical presence with a coordinated accomplice, which is a much higher bar than sharing an image.

Layer 5: device and identity binding

Some high-value tickets bind the code to the device it was issued to, using platform attestation (Apple Wallet’s device-specific signing, for example). A copy of the code on a different device fails verification.

Others tie the ticket to a named attendee whose ID is checked at the gate. This is common for flights, international sports events, and some festivals.

What no barcode can defend against

  • Honest transfer — if the original ticket-holder lets someone else use their ticket and stays away, the gate has no way to know.
  • Insider attacks — an attacker with access to the issuer’s system can generate a real ticket. No cryptography on the code itself helps here.
  • Social engineering at the gate — a confident "the scanner is broken, just let me through" still works more often than it should.

Takeaways

  • The barcode is a lookup key, not a vault. The security lives in the system around it.
  • Signed, single-use codes validated against a trusted back-end are strong in practice.
  • Rotating codes add meaningful resale protection, at the cost of requiring the issuer’s app.
  • Nothing replaces identity checks when identity matters.

Back to the guide index.