TAGBASE assumes every link, device, and client may be compromised. Trust is anchored in the one thing that can’t be faked: the genuine physical tag.
Principles
- Anchored in hardware. Authenticity depends on material that only a genuine tag can produce, freshly, on every tap.
- Two-scan liveness. Validation isn’t just “is this URL valid.” It’s “did the same live tag produce two distinct taps.” A static copy can’t.
- No secrets in the client. All verification logic runs server-side, and the browser is treated as untrusted.
- Time-bound. The two taps must happen within a short window, which defeats link harvesting and replay.
The two-scan check
Verification requires two taps from the same live tag within a short window. The
first tap opens a pending verification; the second must present new material to
reach valid. A replayed tap is treated as a likely clone and rejected. See
how it works for the full flow.
Threats and mitigations
| Threat | Mitigation |
|---|---|
| Cloned tag | A static copy replays one tap and fails the second (liveness). |
| Link replay | Verification URLs are single-use and time-bound. |
| Client tampering | Verification runs server-side; clients hold no secrets. |
Optional signals
Geolocation and device signals can flag unexpected tap patterns, and every tag keeps a verification history for audit and compliance.
One-step mode (showing product info on the first tap) trades away the second-scan liveness proof for a simpler experience. It’s available per team but discouraged, since a captured URL works once.