Jump to content



Photo

SQRL: Secure QR Login : Replacement for Usernames and passwords


  • Please log in to reply
27 replies to this topic

#16 +Phouchg

Phouchg

    Resident Misanthrope

  • Tech Issues Solved: 9
  • Joined: 28-March 11
  • Location: Neowin Detainment Camp

Posted 05 October 2013 - 14:33

and that has to deal with the security of the transmission itself. There are many facets of security between the end user and the system, going through the authentication process to the application and data transmission and then how bullet proof is the server itself. The authentication/authorization portion is just one part of security.


That is is. Say, do you consider authentication on the user side the weakest link, currently? I may not have the expertise, but I'll say I don't. Biometrics is effectively a login that can't be physically stolen, falsified or forgotten and is easier to use. However, how does one solve the problem that it is invariable? As soon as we introduce other, changing identifiers to safeguard against the possibility of login data being compromised, we're back to glorified usernames and passwords. If I'm being remotely correct on that, I propose we turn attention to other, more problematic parts - bulletproofing protocols, abolishing legacy protocols, mandating much more careful code and hardware audits and, in the recent light, preventing unsanctioned wiretapping.


#17 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 92
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 05 October 2013 - 14:35

You serious?  Did the internet come crashing down as predicted by sg?  Funny I don't recall that happening ;)

 

Raw Sockets are still here - internet seems to still be working.. ;)



#18 HawkMan

HawkMan

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 31-August 04
  • Location: Norway
  • Phone: Noka Lumia 1020

Posted 05 October 2013 - 15:39

There is always a line that must be walked between security and usability.

If security gets in the way of usability then your security has failed. I have no interest in having to check my phone for an SMS code every time I log into a service, neither do I have an interest I doing any other sport of loop jumping.

Sure for enterprises and government security you need something beyond simple passwords.

If your home computer needs biometrics and two factor logins then I question what you keep on there.

#19 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 05 October 2013 - 15:43

If your home computer needs biometrics and two factor logins then I question what you keep on there.

 

 

Are you talking about a home computer that needs two factor to log into websites / service?



#20 +Phouchg

Phouchg

    Resident Misanthrope

  • Tech Issues Solved: 9
  • Joined: 28-March 11
  • Location: Neowin Detainment Camp

Posted 05 October 2013 - 16:06

There is always a line that must be walked between security and usability.

If security gets in the way of usability then your security has failed. I have no interest in having to check my phone for an SMS code every time I log into a service, neither do I have an interest I doing any other sport of loop jumping.

Sure for enterprises and government security you need something beyond simple passwords.

If your home computer needs biometrics and two factor logins then I question what you keep on there.


If you have something to hide, you probably shouldn't be doing it in the first place. Now where have I heard this particularly unconvincing sentence...

#21 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 25
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 05 October 2013 - 17:34

That is is. Say, do you consider authentication on the user side the weakest link, currently? I may not have the expertise, but I'll say I don't. Biometrics is effectively a login that can't be physically stolen, falsified or forgotten and is easier to use. However, how does one solve the problem that it is invariable? As soon as we introduce other, changing identifiers to safeguard against the possibility of login data being compromised, we're back to glorified usernames and passwords. If I'm being remotely correct on that, I propose we turn attention to other, more problematic parts - bulletproofing protocols, abolishing legacy protocols, mandating much more careful code and hardware audits and, in the recent light, preventing unsanctioned wiretapping.

Remember this about security, if has been created by man it can be broken by man. Security has to be forever evolving. There is no way to protect indefinitely unless on a completely closed system that is not accessible from any other network other than itself. People are always finding new security holes even after a system has been deemed secure. So investing in ways to protect our systems in its entirety will never happen as there will always be someone who can circumvent it.

Take the best safe in the world there isn't anyone who couldn't break through if given enough time, even if they only had a chisel and a hammer. That is security in a nutshell.

#22 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 13 October 2013 - 18:19

After listing to the latest Q&A i am very excited about this stuff.

 

 

I've even been contacted by the W3C, the HTML5 spec editor, who says authentication and login is like a serious problem, no one has solved it yet, this looks wonderful, let's talk. So...

 

I do have a page of all of that other stuff that people are finding, just so it has a place to live, so I can say, yeah, we've seen all of that, and none of it is the same. There's even been some people saying, like showing me patents. And if you look at the diagram on the patent, it's got 26 different things all pointing at each other. And it's like, okay, look at my picture, and look at their picture. There's just no comparison.

 

Yes. Now, imagine in a library or a public kiosk. What this literally lets you do is snap a QR code that's being displayed on a computer you do not trust. And without entering any of your credentials, you're logged in. So, I mean, so that's really a change. That's really cool.

 

That part would be great, as well.

 

 

Steve: They all do. In fact, we can skip the first one because he was just asking, he says he loves the SQRL idea, but he doesn't have a smartphone. So we've covered that. You will be able to use desktop clients. Oh, and other advantage of the desktop client, because people have asked about browser plugins to do SQRL, well, first of all, browser plugins are kind of scary because they're in the browser, and you wonder about the browser's security.
 



#23 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 09 November 2013 - 16:30

God this not being able to edit your first posts and titles anymore really SUCKS!

 

Any who .. They have given SQRL A new Acronym .. Secure Quick Reliable Login.

 

too many people were associating this thing with QR codes. This thing does not have to rely on something you take pictures of AT ALL!. It could also be something you just click via browser plugin. In any case there is a bunch more new information on the page.

 

https://www.grc.com/sqrl/sqrl.htm

 

Personally i'm really excited about this.



#24 HawkMan

HawkMan

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 31-August 04
  • Location: Norway
  • Phone: Noka Lumia 1020

Posted 09 November 2013 - 16:50

nothing that relies on a third party device or ... plugin, is ever going to take off. 



#25 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 09 November 2013 - 16:51

nothing that relies on a third party device or ... plugin, is ever going to take off. 

 

Unless it's integrated into the browser or made a standard. Small steps.

 

I've even been contacted by the W3C, the HTML5 spec editor, who says authentication and login is like a serious problem, no one has solved it yet, this looks wonderful, let's talk. So...

 



#26 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 23 February 2014 - 16:13

Steve Gibson is still hard at work on SQRL while a lot of you are still probably poo pooing the idea, I for one an very excited about it.

 

He has released a UI page  with a very detailed explanation of how all of this works. Its still a work in progress.

 

I recommend everyone go to the page and read it. The page is a great read

 

https://www.grc.com/.../HintPrompt.png

 

Apparently when importing your identity from one device to another using your recovery code it does take a mandatory 30 seconds per attempt, to thwart brute forcing.

 

I should also note that people should get out of their head this idea that this requires QR codes. it does not. You can use one if you are on a public computer, but aside from that, it can be used in the browser on a computer or mobile device without a QR code

 

Welcome.png

 

 

 

HowItWorks.png

 

Create1.png

Create1a.png

Create2.png

IdentityReplace.png

 

Create3.png

 

AboutEntropy.png

 

Create4.png

 

Create5.png

 

PassPrompt.png

 

HintPrompt.png



#27 HawkMan

HawkMan

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 31-August 04
  • Location: Norway
  • Phone: Noka Lumia 1020

Posted 23 February 2014 - 17:54

Inconvenient security will always be ignored. . look at UAC in windows, it had to be dialed back because it was inconvenient, and people still turn it off. more to the point, the people it actually would help, the people with most knowledge about computers, turn it off. 

 

It's why credits cards cover fraud for their customers. they could make the cards more secure. But then they'd be inconvenient to use. So while credit card A had secure credit cards that didn't cover fraud because it wasn't necessary, credit card company B would get all the company because their cards are convenient but unsecure, but they cover any fraud. 



#28 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 23 February 2014 - 18:04

If by chance this ever got adopted into the major browsers, then once an identity is created I think it would a more convenient and more secure.