Jump to content



Photo

SQRL: Secure QR Login : Replacement for Usernames and passwords


38 replies to this topic

#31 Fer Trandar

Fer Trandar

    Resident One Post Wonder

  • Joined: 16-March 15

Posted 16 March 2015 - 09:54

I think I might just be the only person on Neowin excited about this :laugh:

 

Registered just to agree with you.

 

 

Whenever you find yourself on the side of the majority, it is time to pause and reflect.

Mark Twain

 

I can't wait for this to go mainstream. I hope linux users and developers go wild with it.




#32 The_Decryptor

The_Decryptor

    STEAL THE DECLARATION OF INDEPENDENCE

  • Tech Issues Solved: 5
  • Joined: 28-September 02
  • Location: Sol System
  • OS: iSymbian 9.2 SP24.8 Mars Bar

Posted 16 March 2015 - 10:09

I think U2F is more likely to catch on, that's actually got support from browser makers.

#33 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 7
  • Joined: 30-November 01
  • Location: Iowa
  • OS: Windows 8.1
  • Phone: LG G3

Posted 16 March 2015 - 13:58

I think U2F is more likely to catch on, that's actually got support from browser makers.

 

ya maybe. But if I remember correctly, doesn't the server with U2F still have to keep some secrets?



#34 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 7
  • Joined: 30-November 01
  • Location: Iowa
  • OS: Windows 8.1
  • Phone: LG G3

Posted 05 June 2015 - 02:58

SQRL Demonstration on Security now

 

When he said "i'll log onto your computer using SQRL leo" ..what he meant was He will log onto his (Steve's) account on Leo's computer.

 

In this case he took a picture of it with his phone. On a desktop you simply click the QR code with your mouse. What he also didn't say is that he did have to enter a strong password to unlock his sqrl account on his computer. But to gain access to someones sqrl account you need the password, plus the recover code, which he makes very clear during the creation of your sqrl account not to store it on your computer.

 



#35 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 7
  • Joined: 30-November 01
  • Location: Iowa
  • OS: Windows 8.1
  • Phone: LG G3

Posted 05 June 2015 - 16:26

Using this method the servers have no secretes to keep. When I say secretes I mean using this method the server does NOT store any usernames and passwords . If a server gets hacked it's really no big deal. Because there is nothing on the server that anyone can use to log in to that site or any other side on the internet as you.



#36 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 7
  • Joined: 30-November 01
  • Location: Iowa
  • OS: Windows 8.1
  • Phone: LG G3

Posted 05 June 2015 - 22:26

A demonstration video I recorded today

 

A quick note, the 1st time you use your imported identity you are prompted for your full password. It only prompted me for the 1st 4 characters because I actually did an edit in the video right at that spot. Which means I goofed and cut that part out.

 



#37 Intersect

Intersect

    Neowinian Senior

  • Tech Issues Solved: 7
  • Joined: 02-August 03
  • Location: Earth

Posted 05 June 2015 - 23:06

 

A demonstration video I recorded today

 

A quick note, the 1st time you use your imported identity you are prompted for your full password. It only prompted me for the 1st 4 characters because I actually did an edit in the video right at that spot. Which means I goofed and cut that part out.

 

 

it is an interesting concept but i cannot see it taking off with the likes of the ubikey along with lastpass to store passwords the unwashed masses are yet to take it up and there is still a lot of  websites out there that dont bother to offer 2FA for the users accounts. We are getting there though just slowly



#38 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 7
  • Joined: 30-November 01
  • Location: Iowa
  • OS: Windows 8.1
  • Phone: LG G3

Posted 05 June 2015 - 23:07

it is an interesting concept but i cannot see it taking off with the likes of the ubikey along with lastpass to store passwords the unwashed masses are yet to take it up and there is still a lot of  websites out there that dont bother to offer 2FA for the users accounts. We are getting there though.

 

Personally I think this is so much easier and safer than lastpass.

 

If you are using this with a site and if that site gets hacked you really don't even have to change your password.



#39 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 7
  • Joined: 30-November 01
  • Location: Iowa
  • OS: Windows 8.1
  • Phone: LG G3

Posted 06 June 2015 - 03:27

I posted the following on the GRC news group regarding sqrl

After I recorded the video I was trying to think of every single attack
surface I could think of on how a user would get their identity stolen
and I came up with the following scenarios.

Scenario 1

Hacker compromises a user's PC, has remote access and has also installed
a key logger.

They wait a while for the user to enter his entire password into SQRL.
Because he has remote access to the users machine he opens the sqrl
client displays the QR code on screen takes a screen shot, Prints
exported information to file to a PDF File instead of a printer or just
used the store the file option .. all of which he sends back to himself.

He then uses the QR code to import your identity (which does not require
a the recovery code) onto his machine and has the password to match.

Scenario 2

Someone has physical access to your machine and installs a keylogger via
software or a physical device attached to your keyboard. They wait until
they have your password they then export your identity to a USB device
and leave.

So then I thought that anything done in the Backup or Export Section
should require the recovery code. Then I was like, well no, because if
there is a keylogger on the system they would get that as well and
that's not good.

So then what's the solution? Without access to a QR code or the other
code + the recovery code the SQRL password is absolute worthless.

Except how easy it might be for an attacker to export it out of the
machine.	

The only solution I could think of, is something separate which is
printed out that would be instructed to be stored in a Separate place
than the recovery code and printed CR code. How about a list of 1 time
use codes which would be used for authentication to export your identity