[Discuss] Steve Gibson's SQRL
Tom Metro
tmetro+blu at gmail.com
Wed Feb 25 10:27:26 EST 2015
Edward Ned Harvey wrote:
> SQRL is something you have - it's yet another key manager...
It's not quite so black-and-white. The master key is encrypted with a
pass phrase, so that's something you know.
I believe the master key isn't directly derived from the pass phrase, so
you still need to "have" the key in some way.
> I am in favor of 2-factor authentication, involving something you
> know, *and* something you have.
The decryption of the master key could involve a 2nd (3rd?) factor.
> cbcrypt.org...takes hostid, username, and password, and converts them
> into an asymmetric keypair. Only the public key gets exposed to the
> server, so the server is able to confirm that *you* know your secret,
> without the server actually knowing your secret.
SQRL uses an identical mechanism, but uses different source material for
the site-specific key.
-Tom
--
Tom Metro
The Perl Shop, Newton, MA, USA
"Predictable On-demand Perl Consulting."
http://www.theperlshop.com/
More information about the Discuss
mailing list