Slashdot Mirror
New Standard For Website Authentication Proposed: SQRL (Secure QR Login)
fsagx writes "Steve Gibson has proposed a new standard method for website authentication. The SQRL system (pronounced 'squirrel') eliminates problems inherent in traditional login techniques. The website's login presents a QR code containing the URL of its authentication service, plus a nonce. The user's smartphone signs the login URL using a private key derived from its master secret and the URL's domain name. The Smartphone sends the matching public key to identify the user, and the signature to authenticate it. It may be used alongside of traditional username/password to ease adoption."
So, basically... challenge/response tunneled inside of SSL, but with a QR code? Quick, get the patent office on the phone.
No doubt...that's connecting online identities to tracable mobile phones that can be monitored by satellite in real-time, along with information requests from providers.
Don't buy it.
I don't think it will be very popular to force user to pull out a smart-phone ( or even HAVE a smart phone ) to use a website.
seriously, just face it, this idea is not going to be adopted.
So you go to a website and it displays a QR code it wants you to scan. Who knows where that QR code could redirect too.
Also, I go to a website on my smartphone. How do I scan the QR code? With my other smartphone?
Which problem is this supposed to be solving? All my traditional logins work just fine. If they didn't then I wouldn't be using them.
Programmers argue whether the right way to say SQL is S Q L or sequel. A business analyst told me her way, and I thought it fit best: squirrel.
I trust every website with my phone number. Why? Because I can't log in otherwise!
There are many sites which I appreciate have authentication but that I do not even begin to trust. They get a crappy password. I do not have burners phones for every website.
While QR codes themselves are clear, my understanding was that the term "QR code" is trademarked in several countries.
Good summary: http://allthatiswrong.wordpress.com/2009/10/11/steve-gibson-is-a-fraud/
There are so many to choose from.
In this case, the proposer seems to be under the impression that a desktop, laptop, or tablet is more likely to be compromised than a smartphone.
I am officially gone from
This goes way above and beyond that..
Doubt anyone will ever give a shit about it because of all the special stuff that needs to be in place just to get access.
I'll stick with username/password.
Isn't this exactly what happens during SSL client certificate authentication? Modulo routing the response through a smartphone, that is.
I assume this will be enabled between Friday October 18, 8 pm to Saturday October 19, 1 am (Eastern Time).
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
You had me at "QR code".
The CB App. What's your 20?
If you want secure / two-factor today then you'll use Google Authenticator - which is what all bitcoin exchanges use. It's the standard. We don't need a new one. And it's open, so you don't need a smartphone, you can use a PC version like JAuth. This QR code thing is less smart as it would need you to actually have a smartphone - and that's a very dumb idea. The Google Authenticator standard does not, but you should use a another device (notebook computer, tablet, phone, whatever) for it since that's more secure. Anyway, this story is a yawn but that and censorship is what I've come to expect from Slashdot these days.
9/11: Never forget it was a false-flag operation
you insensitive clod!
I invite everyone to let Google autocomplete that sentence. It's been well-known for a good while that absolutely no-one should pay any attention to him.
Just for giggles I did test auto complete on that and it gave:
1. steve gibson is a fake
2. steve gibson is a moron
3. steve gibson is a idiot
Could that be considered the -opinion- of the Google algorithm?
My opinion about TFS involves squirrels too. But mainly their primary food source ( pronounced 'nuts').
...as I read the acronym that the QR in it had nothing to do with QR codes. Oh well.
Google is ran by the CIA and NSA with front men simply being used as puppets to push a totalitarian agenda.
I laugh at anyone who trusts Google with their data, or authentication. Google is a corporation. How the fuck did you deduce that Google was the entity to trust for your most sensitive details? Was it the "don't be evil" catchphrase created 10 years ago that sold you?
Yes this guy is made a hugely retarded authentication scheme, but trusting Google with you authentication is just as hugely retarded, if not more retarded, judging from the recent NSA revelations.
Meanwhile, those that actually give a fuck about "security" host their own authentication. Trusting one of the biggest corporations in the world is not "security"
http://xkcd.com/1237/
and I'm sure NSA is forcing them to implement a backdoor or else the NSA will shut them down.
They already exist and are supported, doing pretty much the same thing on a secondary device does little to improve things.
No sir I dont like it.
Why can't be be 1, 2, AND 3?
Actually, two smartphones required to browse. One to navigate to the website, the other to take the picture of the QR code on the first one's screen. Oh, and you'll probably need a third hand to type in the password that is computed on the second phone into the password box displayed on the first phone.
In the U.K., the word 'nonce' has a totally different meaning...
http://en.wikipedia.org/wiki/Nonce_%28slang%29
The endless parade of cheap hacks needs to stop. Anything less than strong bindings between session encryption and authentication is short changing everyone.
Get browser vendors to apply the TLS-SRP patches sitting in their ticket systems.
> I laugh at anyone who trusts Google with their data, or authentication.
Yes, I know Google is pure evil. Google Auth is based on an open standard & it is open source. As I wrote in parent post: This means that there is a whole range of implementations available. I use the Google Auth standard for auth at various Bitcoin exchanges but I do not use any Google software to do it, I use other implementations. You can use Google Auth without trusting Google with jack shit. (and yeah, I know they are evil, I've removed all the Google spyware / crapware from my phone, I don't have their appstore, etc)
9/11: Never forget it was a false-flag operation
Steve Gibson is a "knob-gobbler"
That's the sesame street word of the day kids!
Steve has a lot of hate coming from the traditional hacker community, some of it for good reasons. He got started in all this trying to defend himself from some attacks, and definitely made some noob mistakes. In particular, he made the mistake of lumping in penetration testers (white hats) with criminal hackers (black hats). That generated a lot of hate from the pen tester community and many labled him a fraud and never looked back. His biggest offense seems to be that he is not of, and does not participate in, the traditional hacker/pen tester community. I think it is very telling that none of his detractors are actually point out problems in his proposal for SQRL. They are relying entirely on "we all know Steve Gibson is a fraud" arguments.
"Trying is only the first step towards failure." - Homer
As I understand it, it's intended in part for the use case where you browse on a computer that's not your own, such as at a relative's home or a public library. This means you haven't stored a client certificate on this computer. The authenticator app on your smartphone would store its own equivalent of a client certificate.
No overpriced smartphones with overpriced and over limited data plans.
Google Auth is based on an open standard & it is open source.
To be more specific, Google Auth (source code is here: http://code.google.com/p/google-authenticator/) is based on RFCs 4226 ("HOTP: An HMAC-Based One-Time Password Algorithm") and 6238 ("TOTP: Time-Based One-Time Password Algorithm").
Even if Mr. Gibson did seek a patent, Google has prior art.
...my damn cellphone died, couldn't log in.
Don't expect kiosks to have the software/browser extension installed to understand the sqrl: protocol, whereas your phone can still snap a picture of it and as far as the kiosk knows you were just magically signed in without leaving the slightest trace.
Another: http://www.vmyths.com/resource.cfm_id=59&page=1
Way to invalidate the concept. Ad hominem attack. Clever.
So I'll add the context back in:
It's not called SclickL because it still let's you take a snapshot of the QR code on a public computer/kiosk so the computer that has no sqrl: protocol handler installed gets nothing.
For real ? Look at the title of your post
10. Steve Gibson is unaware of the location of his towel
Clearly not a man to be reckoned with.
This is less bile and more matter-of-fact: http://attrition.org/errata/charlatan/steve_gibson/
The man just does not have the mental fortitude to work in his chosen field. He gets by because his actual talent is in marketing.
For real, look at where I did acknowledge it's discussed in this single thread. That's still a long shot from
none of his detractors are actually point out problems[.] They are relying entirely on "we all know Steve Gibson is a fraud" arguments.
Plenty of threads, that is all but this one, do point out problems and do not mention Gibson being a fraud at all. And I'm only rephrasing this as I've stated it before. What do you not understand about it?
The MySQL team says S-Q-L, and I believe their web page says that's how their name is pronounced. The official SQL standard says it's s-q-l.
On the other hand, it seems to me that Windows admins tend to say sequel. The primary author of the language, Chamberlain, says sequel.
Putting all that together, neither is really right or wrong. When talking about Microsoft's rdms to Microsoft-based listeners, sequel will elicit the fewest snickers. In the FOSS community, say My s-q-l. S-Q-L is the standard data manipulation language, sequel is some Microsoft crap, the OSS folks will say.
Dude, I'd be all-righteously on your side right now, but just, like, read the links. There's an abundance of material that shows he has no idea what he's talking about or, worse, has a crudely-formed idea that he peddles as ultimate wisdom. I'd agree it's strictly possible he blindly picked a corn with the idea as described in this article, but it's unlikely given his track record and the idea certainly should not be given any additional credence just because it's his. This story would not be here on Slashdot if it wasn't proposed by someone with a name. The entire intention behind debunking Gibson is to eradicate undue pre-trust in his name and instead have the proposal examined as if some random hobo had suggested it. Someone, i.e., like Steve Gibson.
What idiot would scan a QR code? The same idiots that blindly follow links. This will not end well.
Yes, people sometimes mispronounced it, but that is due to ignorance
Actually, the ignorance is people that aren't aware that it was originally called SEQUEL and then renamed to SQL. There have been various products over the years on various platforms with the SEQUEL name (80's and early 90's). The pronunciation has been both ways, although as time goes on there are many people like yourself that just aren't aware of the history and other pronunciation and so it continues to fade.
SG is the real deal - he's been around forever, he's been an outsider forever (i.e. since the internet was conceived, and information was free), he knows the limitations of the "security" measures out there and he can call BS on anything in my book - his proposal stands up to scrutiny, despite whoever he's pissed off in the past. Onward the SQRL!
So you need to have your phone present and with a connection to login?
And it's basically just OAuth with an added device dependency?
FINALLY! As a SADO-MASOCHISTIC Web Developer, I've been pining for an authentication schema that is as equally painful to use as it is to implement that provides no real added benefit over what we currently have!
Ohhh Steve Gibson -- you are a fucking genius!
Then dispute it with logic and reason. Using a logical fallacy to attack a claim adds weight to the claim.
True it is a standard, but that won't stop the America-haters from foaming at the mouth. They hate the Internet because it was created by the US. They open source because American dominate open source. They hate /. because it is American, and the best contributors are all American. Being a standard will not change their mind. They hate us, and they will keep ranting here to try to ruin this site.
The Smartphone sends the matching public key to identify the user, and the signature to authenticate it. It may be used alongside of traditional username/password to ease adoption."
Attack method: the attacker presents to the user a fake website, proxying the real QR login image.
The real user, goes through the signature shenanigans, causing the attacker's browser session to be authenticated, when the user types in the password and hits OK.
The attacker leverages a man-in-the-browser attack to execute undesirable sequences of actions for the user to execute, such as sending a payment they didn't intend, etc.... all by presenting fake questions, and persuading the user they need to scan more QR codes.
Also, some of the QR codes could launch malicious URLs that cause the smart phone to be compromised, or cause the digital signatures behind the crypto scheme to be transmitted to the attacker.
But, one big problem I see with this, is likely that you will be giving your fucking phone number to every website you want to log onto using this.
I'm trying desperately to not give them any identifiable information on who I am, not more!!
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
From TFA:
1. No cell phone required.
2. No QR code required.
3. err, no cell phone required
4. It's stored encrypted by a local password
I agree, nothing of value added with these icons. Learned that from Security Now, with Steve Gibson.
>The authenticating web site receives and acknowledges the POST query by returning a standard HTTP “200 OK” with no other content.
Wouldn't that be a '204 No Content" then?
...but instead of storing the certificate in a moderately secure environment (the browser) it's stored in the least secure environment available to the user, the mobile phone. Not only does it not have any security against remote exploits, securing it physically is also next to impossible.
I also think that the system is overreliant on a person having a smart phone. I often go places without one and am seriously considering getting a dumb phone for private use (weekends and evenings). This system would not work for me or the millions of other people that do not want or do not have one. If a system relies on a phone, how is this better than current systems that send me a OTP on any mobile using basic SMS. It is more complex but not more reliable as the weak link is regarding who has your phone.
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
From TFA, SQRL does not rely on a smartphone. The client can be anything that conceivably understands QR codes, a class in which smartphones are a well-known member.
And no, camera not required. QR codes are just a format, your laptop can parse it.
Perhaps the smartphone use case was confusing as a first example, but it does represent a situation where username/password is especially cumbersome.
It's a logical fallacy to claim that using a logical fallacy to attack a claim adds weight to the claim. Also, ad hominems like other fallacies can be good arguments -- just not deductively valid in a formal sense. If someone spews 99% nonsense, it's a waste of valuable time to invest hours into providing deductively that their latest spew is also nonsense.
This space intentionally left blank
Yeah: considering that you so-called smartphone is the most-hacked piece of equipment in your electronic inventory, this sounds like a brilliant idea. Meh.
TFA explains how that would work with a client on a pc. it's close to the end of the home page of the site.
I used the wrong word, meant claimant. It is not valid. I don't care who or where the claim comes from, it should be disputed in logic and reason.
I guess you didn't read the spec, no identifiable information needs to be sent.
- Raynet --> .
Nope, completely independent of your phone number. Each site you visit effectively has its own user identifier, unique to that site, which is generated from a combination of your master key and the website address. Unless you tell the web site some of your details all the site knows is that you are the same person as every other time you visited. Nothing stopping this being completely anonymous as long as the site does not demand personally identifiable info (eg a retail site would need your name, address and payment details or the login is pointless)
because google auto complete is a good way to find out actual facts.....
how about just coming up with a reasonable rebuttal to his proposal instead of a "first" flame?
i couldn't give a flying monkeys what people think of him, he is very over excitable but slamming an idea because of some psychotic hatred you seem to have about a guy you have never met and has done nothing but propose a potentially useful idea is a bit ...well... childish
A few days before I first heard of SQRL (a few weeks ago) I came up with a very similar proposal, which I published on my blog http://ddevnet.net/posts/anonymous-authentication-with-pk.html
SQRL works around the biggest hassle with my proposal which is linking the browser and the certificate to a session. The QR code idea really streamlines the workflow. My proposal could probably adopt this idea. Where our proposals really differ is that I believe that keeping your keystore anonymous is important. With SQRL they know your keystore location (and can directly attack it, or steal it, or whatever) because of the way it uses the keystore in an out-of-band manner. I also think that when the keystore is identified this is likely to also reveal some clues as to your identity, which sucks balls.
I also think that the keys could/should be used for encrypting messages/notifications that can be published publicly but only read by the holder of the private key. This avoids email addresses which may leak your identity.
Let's see. You inform your cellphone/smartphone number in the form, or can be spoofed with any phone out there. Grey or black. While adding data to the usual reservoirs. A joke.
4.. noob.
Posting a picture to a xkcd joke without the alt text (nor proper link) is inexcusable.
What if you don't have a smartphone. What if you're browsing on your smartphone, do you then need a second smartphone to recognize the QR image off the first one?
This idea is dumb as bricks.
As Gibson has, THEN, they can talk (as peers, not bullshitters).
* Consider the source...
(I've hung around & maintained ongoing debates + conversations with the "security community" & imo AND experience? MOST aren't anywhere NEAR Gibson in skillset OR more importantly, accomplishments... are there any that do? Of course - then again, you don't see many of THAT kind giving him shit either!)
APK
P.S.=> World's FULL of "talk a lot but did zero" b.s. artists who see fit to 'cut down others' (who've done far more of good note than they have), but haven't done squat themselves... period! I don't know about the rest of you, but I don't pay much heed to that type (unless they debate an argument in the arena of security with FACTS - not jealousy driven prejudices)
... apk
So, how do I snap the QR code - if I am logging into the website - on my phone...?
1. No cell phone required.
I call BS, yes the article has a section "Three Ways to Go ... smartphone optional" which totally invalidates the systems whole reason for being used, securely logging in on a "public", probably compromised computer. Read the section "No keyboard interaction", this usage will *REQUIRE* a smartphone.
I agree with the original AC, not a very well thought out idea.
Ideally, sure.
In a world where the ravages of entropy are bringing you ever closer to the end of your finite lifespan, you just end up pissing away a whole lot of time.
Owns a smartphone, so SQRL is completely useless!
Michael
http://s1.sfgame.us/index.php?rec=58163
It may be used alongside of traditional username/password to ease adoption.
It *should* be used alongside traditional username/password
I know it might boggle your mind but not everyone has (or wants) a smart phone
I love my smart phone to bits (sometimes literally) but I know plenty of people who have a cheap ass phone so they can.... make phone calls.
I also have a friend who leaves his smart phone at home when he goes to work, after having his beloved stolen when he turned around to study some blueprints, now he carry's a cheap ass second (or third) hand nokia - hasn't been stolen in a long while.
There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
I'm excited about the possibilities of singing into a website on one smartphone while needing a second smartphone to capture and authenticate the QR code.
http://it.slashdot.org/comments.pl?sid=4349283&cid=45163547
"The guy just doesn't understand that his problem is not that he's not smart" - an_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)
You are then? Ok:
PROVE it!
(I.E.-> Show us what you've done more of, better of, & earlier than Mr. Gibson has in the art & science of computing then...)
* After all - a "big talker" like YOU ought to be able to manage that, correct? Not... I'd wager you can't show a single thing whereas he's done decent stuff since "SpinRite" onwards... have you?
APK
P.S.=> I truly DO expect a BIG FAT ZERO out of you vs. Mr. Gibson (& yes, I'd strongly wager I am correct regarding a mere "put down artist" like yourself - which ANYONE can do - who I strongly suspect has zero to his name/credit that's done as well in computing as Gibson has, "SpinRite" onwards (as I suspect YOU to be))... apk
Uh, that's a more comprehensive analysis of password strength than I've seen anywhere else.
His "technique" is nothing more than finding a way to make your passwords longer that people can remember. That's the whole point - length matters. Do you have a better way of coming up with a strong password that can be remembered?
If you discount everything a person says, why are you posting here?
I've been following the development of SQRL and it seems there are misconceptions here. I'll try to explain it in the way I think of it.
The core of SQRL is really authenticating to a server by proving you have a private key. The server never sees your private key, only your public key, so if the server is hacked, the attacker can't use your SQRL credential to login. You do not need to create and memorize a password for every site.
There are additional features of SQRL:
QR Code: This allows you to keep your private key on a separate device. This means you can use a public computer and that computer would not have access to your private key. It could still mess with your current session, but not future sessions. You don't have to use the QR code & separate device, it is optional for more security. It is slightly different from Google's Sesame experiment in that Google's QR code use had you sign in on your phone with your username and password rather than a private key.
Generated Private Key: SQRL uses a separate private key for each site. The private key for each site is a product of your Master Key, your one password, and the site's 'domain'. To backup your SQRL credentials for every website, you only need to backup the Master Key and remember your one password. You will have a separate key for every website and only need to keep track of one password. You would only need to remember one password.
There are also discussions about additional phishing counter-measures:
If you're not using a separate device, the server you authenticate with could send you the logged in session out-of-band. This means that if fakefacebook.com tries to trick you to log in with the SQRL from facebook.com, fakefacebook.com never gets a logged in session.
There is also a feature to warn if the IP address of the authenticating computer is not the same as the computer that initially requested the logon session.
There are already ways to have multiple identities per site with the same Master Key and password. Also, the spec will have a built in way to update your public key if you ever have a reason to change your Master Key.
This does not solve every problem with authentication, but it has benefits over traditional password authentication.
Zusukar
I'm not sure what you're getting at. What has one got to do with the other?
So, you can't tell, or can't log in, unless you own a smartphone (tm)? Quite so, mine citizen. Please show me your citizenship documents on your smartphone... you don't have one? Please accompany this fine officer to the station for violating community standards....
mark "fsck smartphones"
"His argument is based totally on pure brute force, which nobody does." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)
WRONG: They've been doing it for AGES & still do -> http://www.dshield.org/diary/Low%2C+slow%2C+distributed+SSH+username+brute+forcing/5114
( E.G.-> Here's 30++ more just to "start the show" -> http://www.dshield.org/search.html?q=brute+force ranging from 2 months ago, up to 3++ yrs. ago, no less - so much for YOUR b.s.!)
---
PERTINENT QUOTE/EXCERPT:
"Koos writes in with some logs of distributed SSH scanning with the following characteristics. Usernames are being brute forced starting at "aaa" and incremented. This is being done in a distributed manner with almost perfect synchronization between the scanning hosts. Over the last 32 hours, his system received 216 login attempts of which 138 attempts were from unique IP addresses. Obviously, the attacker is trying to avoid the popular SSH banning scripts by going under the banning thresholds of these programs. At peak, there was only 20 total attempts per hour."
---
* For BOTH usernames AND password cracking, + more - & that's from 2008 - Want more current examples to go with it? Just ask...
APK
P.S.=> Before you "talk out of your ass"again, putting down your betters while you were @ it? Get your facts straight - in fact - brute force gets used when dictionary attacks fail, nearly every time...
... apk
How exactly is it a "comprehensive analysis" if it ignores dictionary attack strength?
How is it "comprehensive" if it ignores the fact that an attack can be crafted specifically for this technique?
All it discusses is brute force, which is pointless beyond a few characters.
If you need web hosting, you could do worse than here
WTF? Are you really just this stupid? What exactly do captcha's have to do with password brute forcing?
Nothing, idiot. So STFU.
If you need web hosting, you could do worse than here
The argument here is that the claimant has no credibility and is shown to be far from knowledgeable is his professed field.
That much has been established, and there is a wealth of evidence in the form of links throughout this discussion.
Before we waste time investigating his new proposal, it only makes sense to see if it is worth the time, to see if he has improved his education in his area of self-profession.
Pointing out that someone is not knowledgeable when this has been shown to be the case is a valid argument.
If you ignore ACs because they are anonymous - you're an idiot.
Steve Gibson is a... (-1, Troll)
Well played.
BREAKING NEWS: New security system involves smartphones!!!
NO, JUST NO
This is to solve the problem of memorising username & impossible to remember good passwords... and also to make it impossible for web sites loose your username & password so no one can impersonate you easily, just because they get the database.
YOU STILL ARE RESPONSIBLE TO MAKE SURE YOU ARE AT THE CORRECT WEB SITE, before clicking or scanning the SQRL code (and even after you click you DO HAVE one last chance to verify you are at the correct web site). And with the anti-phishing enable you can make it even more difficult.
Tell us: How'd they TASTE, chump -> http://www.dshield.org/forums/diary/SSH+Brute+Force/11215
http://www.dshield.org/forums/diary/SSH+brute+force+password+guessing+AKA+SShellPhishing/5047
http://www.dshield.org/forums/diary/New+odd+SSH+brute+force+behavior/11956
http://www.dshield.org/forums/diary/A+Couple+of+SSH+Brute+Force+Compromises/16228
---
"His argument is based totally on pure brute force, which nobody does." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)
See above (& EAT THOSE WORDS) - They're ALL in my 1st post you REPLIED to's 2nd link - AND - EACH DEALS IN BRUTE FORCING PASSWORDS!
---
"You should read your own links moron."." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)
Ahem: OTHER WAY AROUND, ILLITERATE MORON (see above), lol... take your OWN shitty advice (while you eat those words, yet again, lmao!).
---
"None of your links say otherwise."." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)
LMAO - "Guess again": They were in the 2nd link in my original post - It's YOUR FAULT that your ILILITERATE CHUMP SELF missed them, bigmouth!
(Guess what: YOU Fail... badly!)
APK
P.S.=> Now, shut your piehole since it's NOT POLITE TO TALK WITH YOUR MOUTH FULL - & yours CERTAINLY is full... lol - FULL OF YOUR VOMIT YOU HAVE TO EAT NOW lmao - "eating your words"! - You? You should improve your diet (lol), & not even speak - you'd lose weight too since "The Fool Chatters, while the wise man listens"... quit being a fool lmao, or, you'll die of obesity related causes from your 'eating your words' diet, rotflmao - it's turning you into an inflated balloon full of "hot-air" that MUST 1 day, go 'pop', lmao... Today was that day, for you - read more closely next time & face fact: YOU did this, to yourself - "Ya got played - ya played yerself", lol...
... apk
But, one big problem I see with this, is likely that you will be giving your fucking phone number to every website you want to log onto using this.
Why would you do this? SQRL doesn't require you to give your phone number to anyone.
No, it isn't.
He's 57. Ain't a noob. The attacks were like, ten years ago. They're like a bunch of evil ex-girlfriends on Facebook against whom he really needs a restraining order. No one really cares what the "community" thinks, if what you mean by that is the group that has the time and inclination to launch DDOS attacks and spam threads with "Gibson sucks" posts. I don't believe people of that disposition really matter if they're over 15 years old. Nobody even remembers what the hell he did "wrong", and frankly no one outside of that group cares - if anyone is left, as "they" should have been married and worried about male-pattern baldness and being severely overweight by now.
Oh, seriously, get a life.
This is very similar to the Pico concept that Frank Stajano came up with a couple of years ago - though his is rather more complete than Steve Gibson's.
You can see Frank's (entertaining) talk from the 2011 Usenix security conference here:
https://www.usenix.org/conference/usenix-security-11/pico-no-more-passwords
There's a team at Cambridge University implementing this right now, and, like Gibson, Stajano has always pledged that it will be an open and patent-free standard.