SQRL: Secure QR Login : Replacement for Usernames and passwords


Recommended Posts

pguq.jpg

 

Recently Steve Gibson from GRC was brainstorming one day and thought of a new authentication solution called SQRL: Secure QR Login.

 

You can listen to him talk about it on security now

 

#424

https://media.grc.com/sn/sn-424.mp3

https://media.grc.com/sn/sn-424.mp3

 

or if you just want to read about it you can do so via his documentation page. I can't really explain it much more than this. I haven't listened to the podcast yet, just glanced at the documentation page.

 

https://www.grc.com/sqrl/sqrl.htm

 

j45g.jpg

Link to comment
Share on other sites

QR codes are still idiotic and the worst idea(well, using them for what they're being used for is) since the first computer. 

 

People don't scan QR codes, people don't want to scan QR codes. MAYBE if the camera on a phone ALWAYS was working, and it automatically and intelligently detected QR codes and scanned them in for you, but intelligently so not every time the lens passed over one. 

 

but yeah, what everyone wants to do is find a silly square code, open a special app on their phone, attempt to "scan" the QR code, get redirected to a website in ANOTHER program ... the whole idea and implementation is laughable. And they will die now that NFC is starting to take of and NFC can be implemented in stuff, and they work automatically, just touch the phone to to and voila, not that I think peopel will be using them much for such purposes either but at least their implementation works a million times better for the purpose.

Link to comment
Share on other sites

QR codes are still idiotic and the worst idea(well, using them for what they're being used for is) since the first computer. 

 

People don't scan QR codes, people don't want to scan QR codes. MAYBE if the camera on a phone ALWAYS was working, and it automatically and intelligently detected QR codes and scanned them in for you, but intelligently so not every time the lens passed over one. 

 

but yeah, what everyone wants to do is find a silly square code, open a special app on their phone, attempt to "scan" the QR code, get redirected to a website in ANOTHER program ... the whole idea and implementation is laughable. And they will die now that NFC is starting to take of and NFC can be implemented in stuff, and they work automatically, just touch the phone to to and voila, not that I think peopel will be using them much for such purposes either but at least their implementation works a million times better for the purpose.

 

I disagree. How would you tap your phone on the a website using NFC?

  • Like 2
Link to comment
Share on other sites

You know what could eventually replace user names and passwords that is pretty secure.... Iris scan mixed with facial recognition... Your facial features don't change all that much and a iris scan (this is not an invasive retina scan) would identify you very accurately. We are looking at different biometric authentication technologies to implement at work to do away with passwords. Iris which can be done with a hd camera you can buy at the store for Skype would work perfectly, same with facial recognition. The tech is readily available to do this, it just needs to get a little more affordable (the software that runs this isn't cheap even if the hardware is relatively inexpensive).

Link to comment
Share on other sites

I disagree. How would you tap your phone on the a website using NFC?

You wouldn't, just as you would use your phone or a qr code to log into a web site, the whole idea is stupid. As I also pointed out.

Link to comment
Share on other sites

You know what could eventually replace user names and passwords that is pretty secure.... Iris scan mixed with facial recognition... Your facial features don't change all that much and a iris scan (this is not an invasive retina scan) would identify you very accurately. We are looking at different biometric authentication technologies to implement at work to do away with passwords. Iris which can be done with a hd camera you can buy at the store for Skype would work perfectly, same with facial recognition. The tech is readily available to do this, it just needs to get a little more affordable (the software that runs this isn't cheap even if the hardware is relatively inexpensive).

 

iris scan + facial recognition is a little redundant. it's still just 1 factor, albeit slightly more accurate & precise than each alone. doesn't exactly make things any more secure than existing solutions though.

Link to comment
Share on other sites

Usernames and passwords aren't/haven't ever been the problem; their management is. That's the long and short of it.

 

Also, I wouldn't trust my phone with so much top shelf private information. That's like writing it on paper and hiding under the keyboard. Or house keys under the floor mat.

Link to comment
Share on other sites

Primexx You don't need multi factor with biometric you need a way to positively identify one person from another with little to no chance of false positive . You are thinking 2 dimensional..

Link to comment
Share on other sites

Usernames and passwords aren't/haven't ever been the problem; their management is. That's the long and short of it.

Also, I wouldn't trust my phone with so much top shelf private information. That's like writing it on paper and hiding under the keyboard. Or house keys under the floor mat.

If you ever deal with the government internally, yes it is a problem. Not a major one provided you have password complexity and it is constantly changing, so it is written in their sops and documentation for other entities. The one thing that doesn't require any sort of change is biometric authentication and is thought by them to be more secure than a password as it can be proven that it is you accessing the computer and digitally signing important documents that can be held up in court.
Link to comment
Share on other sites

If you ever deal with the government internally, yes it is a problem. Not a major one provided you have password complexity and it is constantly changing, so it is written in their sops. The one thing that doesn't require any sort of change is biometric authentication and is thought by them to be more secure than a password as it can be proven that it is you accessing the computer and digitally signing important documents that can be held up in court.

I won't argue that biometrics provides much greater authentication possibilities. However, I will ask how much security breaches happen at the user's side/because of user's fault (cookies and other login storage mechanisms aside - they are part of the problem and must be abolished) and how much happen in transit or at the server side. Biometrics is still a blob of data and there's pretty much all the usual crypto under it.

Link to comment
Share on other sites

I won't argue that biometrics provides much greater authentication possibilities. However, I will ask how much security breaches happen at the user's side/because of user's fault (cookies and other login storage mechanisms aside - they are part of the problem and must be abolished) and how much happen in transit or at the server side. Biometrics is still a blob of data and there's pretty much all the usual crypto under it.

and that has to deal with the security of the transmission itself. There are many facets of security between the end user and the system, going through the authentication process to the application and data transmission and then how bullet proof is the server itself. The authentication/authorization portion is just one part of security.
Link to comment
Share on other sites

^ yeah just typical gibson trying to draw attention to himself over nothing.  Windows metafile backdoor, Raw Sockets, the syncookie nonsense, etc. etc..

 

Seems WH likes to post links to his stuff quite often - my way of keeping an eye on what nonsense he is spouting now..  ;)

Link to comment
Share on other sites

^ yeah just typical gibson trying to draw attention to himself over nothing.  Windows metafile backdoor, Raw Sockets, the syncookie nonsense, etc. etc..

 

Seems WH likes to post links to his stuff quite often - my way of keeping an eye on what nonsense he is spouting now..  ;)

 

So raw sockets didn't end up being an issue?

Link to comment
Share on other sites

and that has to deal with the security of the transmission itself. There are many facets of security between the end user and the system, going through the authentication process to the application and data transmission and then how bullet proof is the server itself. The authentication/authorization portion is just one part of security.

That is is. Say, do you consider authentication on the user side the weakest link, currently? I may not have the expertise, but I'll say I don't. Biometrics is effectively a login that can't be physically stolen, falsified or forgotten and is easier to use. However, how does one solve the problem that it is invariable? As soon as we introduce other, changing identifiers to safeguard against the possibility of login data being compromised, we're back to glorified usernames and passwords. If I'm being remotely correct on that, I propose we turn attention to other, more problematic parts - bulletproofing protocols, abolishing legacy protocols, mandating much more careful code and hardware audits and, in the recent light, preventing unsanctioned wiretapping.

Link to comment
Share on other sites

You serious?  Did the internet come crashing down as predicted by sg?  Funny I don't recall that happening ;)

 

Raw Sockets are still here - internet seems to still be working.. ;)

Link to comment
Share on other sites

There is always a line that must be walked between security and usability.

If security gets in the way of usability then your security has failed. I have no interest in having to check my phone for an SMS code every time I log into a service, neither do I have an interest I doing any other sport of loop jumping.

Sure for enterprises and government security you need something beyond simple passwords.

If your home computer needs biometrics and two factor logins then I question what you keep on there.

Link to comment
Share on other sites

If your home computer needs biometrics and two factor logins then I question what you keep on there.

 

 

Are you talking about a home computer that needs two factor to log into websites / service?

Link to comment
Share on other sites

There is always a line that must be walked between security and usability.

If security gets in the way of usability then your security has failed. I have no interest in having to check my phone for an SMS code every time I log into a service, neither do I have an interest I doing any other sport of loop jumping.

Sure for enterprises and government security you need something beyond simple passwords.

If your home computer needs biometrics and two factor logins then I question what you keep on there.

If you have something to hide, you probably shouldn't be doing it in the first place. Now where have I heard this particularly unconvincing sentence...

Link to comment
Share on other sites

That is is. Say, do you consider authentication on the user side the weakest link, currently? I may not have the expertise, but I'll say I don't. Biometrics is effectively a login that can't be physically stolen, falsified or forgotten and is easier to use. However, how does one solve the problem that it is invariable? As soon as we introduce other, changing identifiers to safeguard against the possibility of login data being compromised, we're back to glorified usernames and passwords. If I'm being remotely correct on that, I propose we turn attention to other, more problematic parts - bulletproofing protocols, abolishing legacy protocols, mandating much more careful code and hardware audits and, in the recent light, preventing unsanctioned wiretapping.

Remember this about security, if has been created by man it can be broken by man. Security has to be forever evolving. There is no way to protect indefinitely unless on a completely closed system that is not accessible from any other network other than itself. People are always finding new security holes even after a system has been deemed secure. So investing in ways to protect our systems in its entirety will never happen as there will always be someone who can circumvent it.

Take the best safe in the world there isn't anyone who couldn't break through if given enough time, even if they only had a chisel and a hammer. That is security in a nutshell.

Link to comment
Share on other sites

  • 2 weeks later...

After listing to the latest Q&A i am very excited about this stuff.

 

 

I've even been contacted by the W3C, the HTML5 spec editor, who says authentication and login is like a serious problem, no one has solved it yet, this looks wonderful, let's talk. So...

 

I do have a page of all of that other stuff that people are finding, just so it has a place to live, so I can say, yeah, we've seen all of that, and none of it is the same. There's even been some people saying, like showing me patents. And if you look at the diagram on the patent, it's got 26 different things all pointing at each other. And it's like, okay, look at my picture, and look at their picture. There's just no comparison.

 

Yes. Now, imagine in a library or a public kiosk. What this literally lets you do is snap a QR code that's being displayed on a computer you do not trust. And without entering any of your credentials, you're logged in. So, I mean, so that's really a change. That's really cool.

 

That part would be great, as well.

 

 

Steve: They all do. In fact, we can skip the first one because he was just asking, he says he loves the SQRL idea, but he doesn't have a smartphone. So we've covered that. You will be able to use desktop clients. Oh, and other advantage of the desktop client, because people have asked about browser plugins to do SQRL, well, first of all, browser plugins are kind of scary because they're in the browser, and you wonder about the browser's security.
 

Link to comment
Share on other sites

  • 4 weeks later...

God this not being able to edit your first posts and titles anymore really SUCKS!

 

Any who .. They have given SQRL A new Acronym .. Secure Quick Reliable Login.

 

too many people were associating this thing with QR codes. This thing does not have to rely on something you take pictures of AT ALL!. It could also be something you just click via browser plugin. In any case there is a bunch more new information on the page.

 

https://www.grc.com/sqrl/sqrl.htm

 

Personally i'm really excited about this.

Link to comment
Share on other sites

nothing that relies on a third party device or ... plugin, is ever going to take off. 

 

Unless it's integrated into the browser or made a standard. Small steps.

 

I've even been contacted by the W3C, the HTML5 spec editor, who says authentication and login is like a serious problem, no one has solved it yet, this looks wonderful, let's talk. So...

 

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.