Jump to content

Question

Posted

pguq.jpg

 

Recently Steve Gibson from GRC was brainstorming one day and thought of a new authentication solution called SQRL: Secure QR Login.

 

You can listen to him talk about it on security now

 

#424

https://media.grc.com/sn/sn-424.mp3

https://media.grc.com/sn/sn-424.mp3

 

or if you just want to read about it you can do so via his documentation page. I can't really explain it much more than this. I haven't listened to the podcast yet, just glanced at the documentation page.

 

https://www.grc.com/sqrl/sqrl.htm

 

j45g.jpg

Share this post


Link to post
Share on other sites

38 answers to this question

  • 0

Posted

Inconvenient security will always be ignored. . look at UAC in windows, it had to be dialed back because it was inconvenient, and people still turn it off. more to the point, the people it actually would help, the people with most knowledge about computers, turn it off. 

 

It's why credits cards cover fraud for their customers. they could make the cards more secure. But then they'd be inconvenient to use. So while credit card A had secure credit cards that didn't cover fraud because it wasn't necessary, credit card company B would get all the company because their cards are convenient but unsecure, but they cover any fraud. 

1 person likes this

Share this post


Link to post
Share on other sites
  • 0

Posted

If by chance this ever got adopted into the major browsers, then once an identity is created I think it would a more convenient and more secure.

Share this post


Link to post
Share on other sites
  • 0

Posted

SQRL Presentation by Steve Gibson at the 2014 DigiCert Security Summit.

http://vimeo.com/112444120

Share this post


Link to post
Share on other sites
  • 0

Posted

I came across this very well written page explaining how SQRL works

 

http://sqrl.pl/guide/index.html#overview

 

I think I might just be the only person on Neowin excited about this :laugh:

Share this post


Link to post
Share on other sites
  • 0

Posted

I think I might just be the only person on Neowin excited about this :laugh:

 

Registered just to agree with you.

 

 

Whenever you find yourself on the side of the majority, it is time to pause and reflect.

Mark Twain

 

I can't wait for this to go mainstream. I hope linux users and developers go wild with it.

Share this post


Link to post
Share on other sites
  • 0

Posted

I think U2F is more likely to catch on, that's actually got support from browser makers.

Share this post


Link to post
Share on other sites
  • 0

Posted

I think U2F is more likely to catch on, that's actually got support from browser makers.

 

ya maybe. But if I remember correctly, doesn't the server with U2F still have to keep some secrets?

Share this post


Link to post
Share on other sites
  • 0

Posted

SQRL Demonstration on Security now

 

When he said "i'll log onto your computer using SQRL leo" ..what he meant was He will log onto his (Steve's) account on Leo's computer.

 

In this case he took a picture of it with his phone. On a desktop you simply click the QR code with your mouse. What he also didn't say is that he did have to enter a strong password to unlock his sqrl account on his computer. But to gain access to someones sqrl account you need the password, plus the recover code, which he makes very clear during the creation of your sqrl account not to store it on your computer.

 

https://www.youtube.com/watch?v=2QQ-Hi7npbM&feature=youtu.be

Share this post


Link to post
Share on other sites
  • 0

Posted

Using this method the servers have no secretes to keep. When I say secretes I mean using this method the server does NOT store any usernames and passwords . If a server gets hacked it's really no big deal. Because there is nothing on the server that anyone can use to log in to that site or any other side on the internet as you.

Share this post


Link to post
Share on other sites
  • 0

Posted

A demonstration video I recorded today

 

A quick note, the 1st time you use your imported identity you are prompted for your full password. It only prompted me for the 1st 4 characters because I actually did an edit in the video right at that spot. Which means I goofed and cut that part out.

 

https://www.youtube.com/watch?v=ePTWaQb1w4A

Share this post


Link to post
Share on other sites
  • 0

Posted

 

A demonstration video I recorded today

 

A quick note, the 1st time you use your imported identity you are prompted for your full password. It only prompted me for the 1st 4 characters because I actually did an edit in the video right at that spot. Which means I goofed and cut that part out.

 

https://www.youtube.com/watch?v=ePTWaQb1w4A

 

it is an interesting concept but i cannot see it taking off with the likes of the ubikey along with lastpass to store passwords the unwashed masses are yet to take it up and there is still a lot of  websites out there that dont bother to offer 2FA for the users accounts. We are getting there though just slowly

Share this post


Link to post
Share on other sites
  • 0

Posted

it is an interesting concept but i cannot see it taking off with the likes of the ubikey along with lastpass to store passwords the unwashed masses are yet to take it up and there is still a lot of  websites out there that dont bother to offer 2FA for the users accounts. We are getting there though.

 

Personally I think this is so much easier and safer than lastpass.

 

If you are using this with a site and if that site gets hacked you really don't even have to change your password.

Share this post


Link to post
Share on other sites
  • 0

Posted

I posted the following on the GRC news group regarding sqrl

After I recorded the video I was trying to think of every single attack
surface I could think of on how a user would get their identity stolen
and I came up with the following scenarios.

Scenario 1

Hacker compromises a user's PC, has remote access and has also installed
a key logger.

They wait a while for the user to enter his entire password into SQRL.
Because he has remote access to the users machine he opens the sqrl
client displays the QR code on screen takes a screen shot, Prints
exported information to file to a PDF File instead of a printer or just
used the store the file option .. all of which he sends back to himself.

He then uses the QR code to import your identity (which does not require
a the recovery code) onto his machine and has the password to match.

Scenario 2

Someone has physical access to your machine and installs a keylogger via
software or a physical device attached to your keyboard. They wait until
they have your password they then export your identity to a USB device
and leave.

So then I thought that anything done in the Backup or Export Section
should require the recovery code. Then I was like, well no, because if
there is a keylogger on the system they would get that as well and
that's not good.

So then what's the solution? Without access to a QR code or the other
code + the recovery code the SQRL password is absolute worthless.

Except how easy it might be for an attacker to export it out of the
machine.	

The only solution I could think of, is something separate which is
printed out that would be instructed to be stored in a Separate place
than the recovery code and printed CR code. How about a list of 1 time
use codes which would be used for authentication to export your identity

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.