+Warwagon MVC Posted July 16, 2014 MVC Share Posted July 16, 2014 So did everyone like my catchy link bait thread title? Personally, I think if this catches on passwords really will be obsolete. So about 6 months ago or maybe more, Steve Gibson started a quest to create a new form of authentication. Something that does away with usernames and passwords. He chose QR Codes, but get the notion out of your head that all you will be doing is taking pictures of QR codes with your phone. Its not that at all. In fact just tapping a QR code with your finger does the Trick! You can read all about it in my previous thread. https://www.neowin.net/forum/topic/1180477-sqrl-secure-qr-login-replacement-for-usernames-and-passwords/ I'm creating a new thread because now we have something we can test. SQRL https://play.google.com/store/apps/details?id=net.vrallev.android.sqrl&hl=en_US Steve Gibson mentioned this on Security now. He's been in communication with this person and this person has made an Android client based off Steve Gibsons spec. Gibson is working on the Windows client. Quote Steve: Okay. So there was a tweet this morning that I got a kick out of because this is the beginning. Someone named "bothyhead," B-O-T-H-Y-H-E-A-D, and he's just @bothyhead, at 4:38 a.m. this morning via Plume for Android, tweeted: @SGgrc I've just been playing with Ralf's SQRL client and his test site. I so hope this takes off. It's amazing. The world owes you one." So what this says is, obviously, SQRL is running. And it is the case that there are going to be endless squirrel jokes, I'm sure.FR. ROBERT: Either SQRL is running, or this individual needs a little bit of help, it's one or the other.Steve: I mentioned Ralf a couple weeks ago when I was talking about the AES-GCM cipher protocol and how it was actually in my interactions with Ralf, who is a German student who is doing his master's thesis on SQRL, and also implementing an Android client and a test server. He was concerned about the intellectual property rights of OCB, which is the cipher suite I was going to use, the authenticated encrypted cipher suite. And he raised some good points. I changed the spec and wrote, spent a week writing in Portable C an implementation of AES-GCM so that all SQRL implementations would be able to have one that was free, public domain, and completely unrestricted, since I wasn't able to find one otherwise on the Internet. He's got his client up and running. A whole bunch of people over in the GRC newsgroup, the SQRL newsgroup, have it up and running and have been sending him feedback, like with what version of Android and what platform and what tablet and so forth. So it's beginning to happen. So it's all I've been working on. I'm working on the reference Windows client and working as hard as I can to get to the protocol portion because I just want to ratify the protocol, which is at this point still pro forma until I have a chance to nail it down. But it is the case that the SQRL system works, and it's working. So just a nice little bit of good news. Installed this on my android device and it worked just as I hoped. I really hope this gets widely adopted. So anyone who uses Android go play with it and report back. At the moment all you can do is log into his test server and create an account. But that should be enough to give you a sense on how that works. More information on how this works can be found from my previous thread I posted above. Now imagine logging into Neowin with SQRL. MikeFu84 1 Share Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted July 18, 2014 Author MVC Share Posted July 18, 2014 So has anyone had a chance to test this out. .. besides me? Link to comment Share on other sites More sharing options...
+theblazingangel MVC Posted July 18, 2014 MVC Share Posted July 18, 2014 I'm too busy, I still haven't found the time to even read properly how it works. I'll get around to it eventually. Link to comment Share on other sites More sharing options...
123456789A Posted July 18, 2014 Share Posted July 18, 2014 I heard this method was cracked rather quickly by the Russians. Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted July 18, 2014 Author MVC Share Posted July 18, 2014 I heard this method was cracked rather quickly by the Russians. Source? Link to comment Share on other sites More sharing options...
Mr. Gibs Posted July 18, 2014 Share Posted July 18, 2014 Steve GibsonAnd that's where I stopped reading. Link to comment Share on other sites More sharing options...
Circaflex Posted July 18, 2014 Share Posted July 18, 2014 Well first of all, Gibson did not create this. He did not invent SQRL, he gave it a name. The protocol has been around for years and is protected by several patents (http://www.michael.beiter.org/2013/10/04/steve-gibsons-sqrl-is-not-really-new/). Gibson keeps telling everyone that "his idea" is free to use for everyone. The problem is that is is NOT his idea, and that the individuals and organizations holding the patents will sue everyone who is using the protocol without paying royalties. Budman even pointed this out in your original thread Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted July 18, 2014 Author MVC Share Posted July 18, 2014 Well first of all, Gibson did not create this. He did not invent SQRL, he gave it a name. The protocol has been around for years and is protected by several patents (http://www.michael.beiter.org/2013/10/04/steve-gibsons-sqrl-is-not-really-new/). Gibson keeps telling everyone that "his idea" is free to use for everyone. The problem is that is is NOT his idea, and that the individuals and organizations holding the patents will sue everyone who is using the protocol without paying royalties. Budman even pointed this out in your original thread Steve: They've got pilot projects and things. And in fact they did play with QR code login briefly. A couple years ago, for like about a month, there was something where you could - that you could - they would present you with a QR code. You could snap it, and the login sort of jumped over to your phone. It took it away from the website over to your phone. And it's funny, too, because there have been - I've been flooded with people saying, oh, Gibson, this has been done before. And then they'll send me a link to something which has a QR code, but that's the only thing it bears in common. So I also have... Leo: This is unique, as far as I can tell. There's nothing like this, yeah. Steve: I do have a page of all of that other stuff that people are finding, just so it has a place to live, so I can say, yeah, we've seen all of that, and none of it is the same. There's even been some people saying, like showing me patents. And if you look at the diagram on the patent, it's got 26 different things all pointing at each other. And it's like, okay, look at my picture, and look at their picture. There's just no comparison. Link to comment Share on other sites More sharing options...
Recommended Posts