So did everyone like my catchy link bait thread title? Personally I think if this catches on passwords really will be obsolete.
So about 6 months ago or maybe more, Steve Gibson started a quest to create a new form of authentication. Something that does away with user names and passwords.
He chose QR Codes, but get the notion out of your head that all you will be doing is taking pictures of QR codes with your phone. Its not that at all. In fact just tapping a QR code with your finger does the Trick!
You can read all about it in my previous thread.
I'm creating a new thread because now we have something we can test.
Steve Gibson mentioned this on Security now. He's been in communication with this person and this person has made an android client based off Steve Gibsons spec. Gibson is working on the Windows client.
Steve: Okay. So there was a tweet this morning that I got a kick out of because this is the beginning. Someone named "bothyhead," B-O-T-H-Y-H-E-A-D, and he's just @bothyhead, at 4:38 a.m. this morning via Plume for Android, tweeted: @SGgrc I've just been playing with Ralf's SQRL client and his test site. I so hope this takes off. It's amazing. The world owes you one." So what this says is, obviously, SQRL is running. And it is the case that there are going to be endless squirrel jokes, I'm sure.
FR. ROBERT: Either SQRL is running, or this individual needs a little bit of help, it's one or the other.
Steve: I mentioned Ralf a couple weeks ago when I was talking about the AES-GCM cipher protocol and how it was actually in my interactions with Ralf, who is a German student who is doing his master's thesis on SQRL, and also implementing an Android client and a test server. He was concerned about the intellectual property rights of OCB, which is the cipher suite I was going to use, the authenticated encrypted cipher suite. And he raised some good points. I changed the spec and wrote, spent a week writing in Portable C an implementation of AES-GCM so that all SQRL implementations would be able to have one that was free, public domain, and completely unrestricted, since I wasn't able to find one otherwise on the Internet.
He's got his client up and running. A whole bunch of people over in the GRC newsgroup, the SQRL newsgroup, have it up and running and have been sending him feedback, like with what version of Android and what platform and what tablet and so forth. So it's beginning to happen. So it's all I've been working on. I'm working on the reference Windows client and working as hard as I can to get to the protocol portion because I just want to ratify the protocol, which is at this point still pro forma until I have a chance to nail it down. But it is the case that the SQRL system works, and it's working. So just a nice little bit of good news.
Installed this on my android device and it worked just as I hopped. I really hope this gets widely adopted.
So anyone who uses Android go play with it and report back. At the moment all you can do is log into his test server and create an account. But that should be enough to give you a sense on how that works. More information on how this works can be found from my previous thread I posted above. Now imagine logging into Neowin with SQRL.