Scan a QR code on a product and a page loads confirming it's authentic. It feels like proof. It isn't — at least not on its own. A 2D barcode answers the question "what does this code say?" It does not answer "is this physical object the real one?" Counterfeiters live in the space between those two questions.
A QR code is open, visible data
A QR or other 2D barcode is, by design, a printed pattern that anyone can read and anyone can reproduce. That openness is its virtue for data exchange and its fatal flaw for authentication. Three failure modes follow directly from it.
It is trivially cloneable
Photograph a genuine code, reprint it, and the copy is indistinguishable from the original. Both encode the same identifier; both resolve to the same verification page. A counterfeiter who buys one authentic unit can clone its code across a thousand fakes, and every one of them will "verify." The code is real. The product isn't.
It is vulnerable to redirect hijack
Because a QR code usually encodes a URL, a fake can point its code at a look-alike verification site that always returns "authentic." A consumer can't see the destination before scanning, and a convincing clone of a brand's verification page is cheap to build. The scan succeeds; the trust is misplaced.
It is tamper-blind
A printed code has no idea what happened to the product it's attached to. A bottle can be refilled, a box reopened and resealed, a pill blister substituted — and the original barcode rides along, still scanning clean. The code cannot report a tamper event because it has no state to change.
Where the 2D barcode is still required
None of this means abandon the barcode. Regulators mandate it as the data carrier — the GS1 2D barcode under DSCSA and EU FMD, and the data carrier behind the EU Digital Product Passport. It is the open, universal, line-of-sight way to carry a GTIN, lot, expiry, and a link to the record. For carrying regulated data, the 2D barcode is correct and required. The error is asking it to also be the proof of authenticity. That is a different job.
An NFC chip is cryptographic identity
An NFC chip does the job a barcode can't. Rather than presenting a static number, a secure chip holds a protected key and proves it possesses that key without ever exposing it — answering a fresh challenge on each tap. You can't photograph a secret you never see, and you can't reprint a chip you can't read out. Bond that chip so an opening attempt severs or disables it, and the identity now carries tamper state too: break the seal and the proof voids.
That is the categorical difference. A barcode is data that anyone can copy. A chip is an identity that can prove itself and resist duplication. One is a label; the other is a witness.
| Attack | 2D barcode alone | NFC / chip | The pair |
|---|---|---|---|
| Photograph & reprint | Cloned | Resists | Fails counterfeit |
| Redirect hijack | Spoofable | Challenge-based | Cryptographic check |
| Tamper / refill | Invisible | Seal voids | Seal voids |
| Regulated data carrier | GTIN, lot, expiry | Identity only | Both, bound |
| Offline durability | Smudge / tear | Sealed IC | Redundant |
The unbreakable pair
The answer is not to choose. It is to bind the two so each covers the other's weakness. The 2D barcode carries the regulated data the law requires and the open link anyone can scan. The chip carries the cryptographic identity the barcode can't. Tie a unit's chip identity to its serialized barcode, and the attacks collapse: clone the barcode and the chip challenge fails; lift the chip and the seal voids; spoof the page and the cryptographic check still says no.
This is the same conclusion the regulated supply chain keeps reaching — under DSCSA, where a cloned barcode passes verification but fails a chip check, as we cover in the DSCSA countdown, and under the EU DPP, where a passport is only as trustworthy as its link to the item.
When to use which
Use the 2D barcode wherever you need open, universal, regulated data exchange and broad reach — it is required, and it is the right tool for that. Add the chip wherever the cost of a convincing counterfeit is high: medicines, high-value goods, safety-critical components, anything where "the code verified" is not good enough. For most regulated products the honest answer is both — the barcode for the data, the chip for the proof.
A barcode tells you what a product claims to be. A chip lets the product prove it. Authentication is the second sentence, and the durable approach binds them so neither can be borrowed. That pairing — and how it sits on top of the serialization you already run — is the basis of the Aeroz verification layer.