I think using tabs makes a lot of sense. This is looking like this PayPal Android interface:
I don't understand the settings tab, could you say more about what it's intended for?
Passwords, accounts and authentication are a little unusual in Collect so it might be helpful for me to describe in some detail. In typical apps, you'd just be prompted for a username and password because the app itself would know about the service it was talking to (e.g. PayPal). Collect does not know anything about the service it's communicating with and that is one of the things that needs to be configured. It's possible for a remote service to provide anonymous access for data collection or to do something like embed authentication information in a URL. That means username and password are optional.
Admin passwords are optionally set locally on individual devices. This is useful in scenarios like an organization hiring hundreds of lightly-trained staff to perform data collection when the organization doesn't want the staff to change e.g. the server or username or whether forms should auto-send. There's no such thing as an admin account or an admin username. The admin password just provides an easy way to limit access to certain features. This QR code feature is obviously sensitive since it lets a user reconfigure Collect including its passwords. That means that you should assume that if this device has an admin password set, the user has had to enter it before seeing the QR code screen.
The idea with the QR code is that it makes it possible to exactly duplicate the configuration of one device on another. That means the QR codes could potentially be sensitive:
- If a server password is set in general settings, that will be included in clear text by default but should be removable
- If an admin password is set in admin settings, that will be included in clear text by default but should be removable
- Server URLs can potentially contain a sensitive key that will always be included in clear text
This is different from, say, your PayPal QR code which does share user identifying information but no passwords. It's really important that the user gets a warning if any of these three sensitive values are set. I don't feel as strongly that they must be removable from the QR code (as is possible now).
I like what @Xiphware has shared above for a purely login QR code. In Collect's case, we're talking about a QR code that may or may not contain server identity, server credentials, client UI configuration, etc. I don't think duplicating some subset of fields from settings on the QR code screen is appropriate.