Sounds like standard 2fa flow, except without the initial 1st factor. 1) User loads login.php (or whatever), 2) login.php generates a random code, stores that in a database and generates a QR code, most likely a URL that includes the token. eg: https://mysite.com/login_with_code.php?code=$randomcode, 3) login_with_code.php prompts the user (on their phone now, because they scanned the QR code and it opened their browser) for their login and, assuming validated login, associates session ID 12345 with user ABCD. No need for an overarching library.