[Discuss] Steve Gibson's SQRL

[tmetro+blu at gmail.com (Tom Metro)]

In the runaway thread on corporate security practices someone asked
whether there were any good alternatives to passwords. No one mentioned
Steve Gibson's SQRL (Secure Quick Reliable Login) technology:

https://www.grc.com/sqrl/sqrl.htm

It uses a bit of PKI (using elliptic curve rather than RSA keys) and
typically works in conjunction with a smartphone app. Here's the process:

-A site you want to login to shows a QR code on the screen. The QR code
contains a URL to an authentication service, and a random string.

-You capture that code with the phone's camera, then the app on the
phone signs the URL string, and posts it to the authentication service URL.

-The site validates the signature.

-The user goes back to their browser, and clicks the login button on the
site to complete the login.


The private key used to sign the URL string is derived in part from the
site's domain and a master key, so each site has its unique own private
key, yet the authentication app only needs to store the one master
private key.

You actually don't have to use a smartphone app. The QR code is wrapped
in a hyperlink with a sqrl:// scheme that can launch an authentication
app on your desktop. (Your master key can be loaded into multiple apps.)

Logins can be anonymous, in the sense that they don't need to be tied to
an email address or name, though of course many sites will do that. The
user is uniquely identified by their public key, and yet that public key
is site-specific, so it can't easily be correlated across different sites.


You can probably think of a bunch of holes in this model, but before you
post about them, read through the page above, where many are addressed.

The real weakness of the design is that it is still a rather geeky
solution requiring a fair bit of understanding of the process by the end
user. Even in the simplest scenario where you have an authentication app
installed on the same machine as the browser and just need to click on
the QR code, it won't be obvious to casual users that a QR code is
something you should click on to login. (Though I guess labeling around
the QR code could address that.)

Will this tech eventually get integrated into browsers? If so, what
security implications does that have?

There are some very early adopters adding support for this (like Drupal)
and multiple apps and libraries for implementing it, but yet to be seen
whether it'll take off.

 -Tom

-- 
Tom Metro
The Perl Shop, Newton, MA, USA
"Predictable On-demand Perl Consulting."
http://www.theperlshop.com/