QR codes that can't be copied - possible?

This is a bad idea.

To understand why, imagine there is no QR code, just a human-readable display of the URL.

Now, would you base a security scheme around keeping this URL secret? Of course you wouldn't, it is the rankest security by obscurity.

If you want to keep the url fairly confidential, do so without any advanced wizardry, but you need your security to be secure even if everyone knows the URL. Implement authentication on access to the resource, not (just) on access to the resource name.

No matter what we put in the barcode, we always come up with the same flaw: someone could photograph the qr code, print and rescan.

Or just scan a screen displaying the code. This can't be avoided since QR code where made specifically to address this kind of issues (bad printing, some transformation, rotation etc).

You won't find a technique to prevent photographies of the code also, since if you can shot the picture then the reader won't be either.

The idea that comes to my mind is :

• Register the devices allowed to access the service (deviceid or so)
• Move the service to a VPN area, with internal addresses that won't be available by anyone that can't connect to it.

This hinges on how you would implement the validation of access permission. If it's simply having access to a certain location, you'd need physical security. For example, you could send a letter to a personal address and request the recipient to destroy the code after use. If it's having some specific information, then you're back to encryption solutions. For example, you could use one of the many solutions that online banks use, like one-time pads of numbers or random number tokens.

What you cannot possibly protect against with any method except actually working biometrics (or human validation in the case of physical security), is the fact that anybody who has access can simply hand over that access to anybody else.