Jump to content



Photo

SQRL: Secure QR Login : Replacement for Usernames and passwords


  • Please log in to reply
27 replies to this topic

#1 +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 04 October 2013 - 21:06

pguq.jpg

 

Recently Steve Gibson from GRC was brainstorming one day and thought of a new authentication solution called SQRL: Secure QR Login.

 

You can listen to him talk about it on security now

 

#424

https://media.grc.com/sn/sn-424.mp3

 

or if you just want to read about it you can do so via his documentation page. I can't really explain it much more than this. I haven't listened to the podcast yet, just glanced at the documentation page.

 

https://www.grc.com/sqrl/sqrl.htm

 

j45g.jpg




#2 HawkMan

HawkMan

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 31-August 04
  • Location: Norway
  • Phone: Noka Lumia 1020

Posted 04 October 2013 - 21:28

QR codes are still idiotic and the worst idea(well, using them for what they're being used for is) since the first computer. 

 

People don't scan QR codes, people don't want to scan QR codes. MAYBE if the camera on a phone ALWAYS was working, and it automatically and intelligently detected QR codes and scanned them in for you, but intelligently so not every time the lens passed over one. 

 

but yeah, what everyone wants to do is find a silly square code, open a special app on their phone, attempt to "scan" the QR code, get redirected to a website in ANOTHER program ... the whole idea and implementation is laughable. And they will die now that NFC is starting to take of and NFC can be implemented in stuff, and they work automatically, just touch the phone to to and voila, not that I think peopel will be using them much for such purposes either but at least their implementation works a million times better for the purpose.



#3 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 04 October 2013 - 21:39

QR codes are still idiotic and the worst idea(well, using them for what they're being used for is) since the first computer. 

 

People don't scan QR codes, people don't want to scan QR codes. MAYBE if the camera on a phone ALWAYS was working, and it automatically and intelligently detected QR codes and scanned them in for you, but intelligently so not every time the lens passed over one. 

 

but yeah, what everyone wants to do is find a silly square code, open a special app on their phone, attempt to "scan" the QR code, get redirected to a website in ANOTHER program ... the whole idea and implementation is laughable. And they will die now that NFC is starting to take of and NFC can be implemented in stuff, and they work automatically, just touch the phone to to and voila, not that I think peopel will be using them much for such purposes either but at least their implementation works a million times better for the purpose.

 

I disagree. How would you tap your phone on the a website using NFC?



#4 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 04 October 2013 - 21:42

http://www.michael.b...not-really-new/

#5 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 25
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 04 October 2013 - 22:08

You know what could eventually replace user names and passwords that is pretty secure.... Iris scan mixed with facial recognition... Your facial features don't change all that much and a iris scan (this is not an invasive retina scan) would identify you very accurately. We are looking at different biometric authentication technologies to implement at work to do away with passwords. Iris which can be done with a hd camera you can buy at the store for Skype would work perfectly, same with facial recognition. The tech is readily available to do this, it just needs to get a little more affordable (the software that runs this isn't cheap even if the hardware is relatively inexpensive).

#6 HawkMan

HawkMan

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 31-August 04
  • Location: Norway
  • Phone: Noka Lumia 1020

Posted 04 October 2013 - 22:21

I disagree. How would you tap your phone on the a website using NFC?


You wouldn't, just as you would use your phone or a qr code to log into a web site, the whole idea is stupid. As I also pointed out.

#7 primexx

primexx

    Neowinian Senior

  • Tech Issues Solved: 6
  • Joined: 24-April 05

Posted 05 October 2013 - 03:05

You know what could eventually replace user names and passwords that is pretty secure.... Iris scan mixed with facial recognition... Your facial features don't change all that much and a iris scan (this is not an invasive retina scan) would identify you very accurately. We are looking at different biometric authentication technologies to implement at work to do away with passwords. Iris which can be done with a hd camera you can buy at the store for Skype would work perfectly, same with facial recognition. The tech is readily available to do this, it just needs to get a little more affordable (the software that runs this isn't cheap even if the hardware is relatively inexpensive).

 

iris scan + facial recognition is a little redundant. it's still just 1 factor, albeit slightly more accurate & precise than each alone. doesn't exactly make things any more secure than existing solutions though.



#8 +Phouchg

Phouchg

    Resident Misanthrope

  • Tech Issues Solved: 9
  • Joined: 28-March 11
  • Location: Neowin Detainment Camp

Posted 05 October 2013 - 08:02

Usernames and passwords aren't/haven't ever been the problem; their management is. That's the long and short of it.

 

Also, I wouldn't trust my phone with so much top shelf private information. That's like writing it on paper and hiding under the keyboard. Or house keys under the floor mat.



#9 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 25
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 05 October 2013 - 11:31

Primexx You don't need multi factor with biometric you need a way to positively identify one person from another with little to no chance of false positive . You are thinking 2 dimensional..

#10 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 25
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 05 October 2013 - 11:35

Usernames and passwords aren't/haven't ever been the problem; their management is. That's the long and short of it.

Also, I wouldn't trust my phone with so much top shelf private information. That's like writing it on paper and hiding under the keyboard. Or house keys under the floor mat.

If you ever deal with the government internally, yes it is a problem. Not a major one provided you have password complexity and it is constantly changing, so it is written in their sops and documentation for other entities. The one thing that doesn't require any sort of change is biometric authentication and is thought by them to be more secure than a password as it can be proven that it is you accessing the computer and digitally signing important documents that can be held up in court.

#11 +Phouchg

Phouchg

    Resident Misanthrope

  • Tech Issues Solved: 9
  • Joined: 28-March 11
  • Location: Neowin Detainment Camp

Posted 05 October 2013 - 12:28

If you ever deal with the government internally, yes it is a problem. Not a major one provided you have password complexity and it is constantly changing, so it is written in their sops. The one thing that doesn't require any sort of change is biometric authentication and is thought by them to be more secure than a password as it can be proven that it is you accessing the computer and digitally signing important documents that can be held up in court.


I won't argue that biometrics provides much greater authentication possibilities. However, I will ask how much security breaches happen at the user's side/because of user's fault (cookies and other login storage mechanisms aside - they are part of the problem and must be abolished) and how much happen in transit or at the server side. Biometrics is still a blob of data and there's pretty much all the usual crypto under it.

#12 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 25
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 05 October 2013 - 14:01

I won't argue that biometrics provides much greater authentication possibilities. However, I will ask how much security breaches happen at the user's side/because of user's fault (cookies and other login storage mechanisms aside - they are part of the problem and must be abolished) and how much happen in transit or at the server side. Biometrics is still a blob of data and there's pretty much all the usual crypto under it.

and that has to deal with the security of the transmission itself. There are many facets of security between the end user and the system, going through the authentication process to the application and data transmission and then how bullet proof is the server itself. The authentication/authorization portion is just one part of security.

#13 episode

episode

    Neowinian Fanatic

  • Tech Issues Solved: 3
  • Joined: 11-December 01

Posted 05 October 2013 - 14:09

 

Yup, even Google tested this for logins for a while a couple of years ago.



#14 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 05 October 2013 - 14:21

^ yeah just typical gibson trying to draw attention to himself over nothing.  Windows metafile backdoor, Raw Sockets, the syncookie nonsense, etc. etc..

 

Seems WH likes to post links to his stuff quite often - my way of keeping an eye on what nonsense he is spouting now..  ;)



#15 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 05 October 2013 - 14:24

^ yeah just typical gibson trying to draw attention to himself over nothing.  Windows metafile backdoor, Raw Sockets, the syncookie nonsense, etc. etc..

 

Seems WH likes to post links to his stuff quite often - my way of keeping an eye on what nonsense he is spouting now..  ;)

 

So raw sockets didn't end up being an issue?