SQRL - Secure Quick Reliable Logon - ever heard of it?
-
Steve Gibson has created a new logon method using QR codes, potential out of band authentication. It uses strong encryption along with hashing to create unique logons for every site.
https://www.grc.com/sqrl/sqrl.htm
I'm asking because personally I love this idea and I hope it takes off, but more importantly I wonder if we could it setup here once it goes live.
-
It does say how the mobile app will communicate back with the site to verify when you scan the code. Is it through a thirdparty server? bluetooth to your computer?
-
The idea is that you leave your cell phone on the cellular wireless network, not the local wireless network.
You go to the website, mangolassi.it it shows you a QR code, you scan that code with your phone. The phone sends the logon information over the cellular network to the server, the web server knows it's you because the phone sends some data from the QR code.Of course there will be times when do you have, or don't want to be bothered to pull out the phone, so Steve Gibson is currently writing a Windows desktop client and the IIS extensions to make it work on Windows. You won't get out of band authentication, but in this case it's really not required.
-
Would suck for those of us that live in places where there is no wireless
-
@scottalanmiller said:
Would suck for those of us that live in places where there is no wireless
That's why Steve is writing a desktop client. A separate coder has already written an Android client. That developer and Steve G have tested the systems against each other and they are providing the same information, so the 'process' is being followed.
-
One thing that is awesome about this is the ability to have the same root key is exportable and share able between devices. This is something Google should do for Google Authenticator.
-
If there is a desktop client... how does it become secure?
-
@scottalanmiller said:
If there is a desktop client... how does it become secure?
Why would it be any more secure on any other platform?
He's taken a lot of security considerations into account, for example, he's using algorithms that currently can't be shortcut'ed by hardware, take at least 60 seconds per try to bruteforce the password. Similar precautions for exporting the key.
Showing the key on screen (or printed) is no less secure than username and passwords are today, but one major benefit, if one site is compromised, users using SQRL don't have to worry that any other website they use with SQRL being comprised.
-
I have to be missing something. I'm not finding how it verifies the user at all. At won't stage does it determine who you are?
-
The client creates a hash (sudo private/public key pair) of the website address along with your private key, includes the crypto challenge (indicated on the page). This hash is basically like a public key, but only for this website. The sudo private key is used to sign the crypto challenge provided by the original website request.
-
FYI, using SQRL doesn't mean that a website won't still want a second way to verify someone's identity, etc.
Many of the doubters look at websites that use an email address as a logon name. These websites are getting a two for one benefit. SQRL does not get this. If the site wants to provide away to 'reset the user's password,' the site will need to find another way to verify identity, i.e. an email address, questions and answer, text message - whatever they want to use.