Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Standard For Website Authentication Proposed: SQRL (Secure QR Login)

Posted by Unknown on from the but-the-nsa-owns-your-phone dept.

fsagx writes "Steve Gibson has proposed a new standard method for website authentication. The SQRL system (pronounced 'squirrel') eliminates problems inherent in traditional login techniques. The website's login presents a QR code containing the URL of its authentication service, plus a nonce. The user's smartphone signs the login URL using a private key derived from its master secret and the URL's domain name. The Smartphone sends the matching public key to identify the user, and the signature to authenticate it. It may be used alongside of traditional username/password to ease adoption."

9 of 234 comments (clear)

  1. Smartphone required to browse? by SilentConsole · · Score: 3, Insightful

    I don't think it will be very popular to force user to pull out a smart-phone ( or even HAVE a smart phone ) to use a website.

    1. Re:Smartphone required to browse? by w_dragon · · Score: 4, Insightful

      Or just create a browser plugin that will read a QR and open a new tab to the link. No smartphone required. Of course, that kind of highlights why it's a dumb idea anyway.

    2. Re:Smartphone required to browse? by Anonymous Coward · · Score: 2, Insightful

      But their website says:

      It eliminates every problem inherent in traditional login techniques.

      So I guess they're just swapping new problems for the traditional ones ;-)

    3. Re:Smartphone required to browse? by msauve · · Score: 4, Insightful

      "I don't think I've cleared my cookies in five years..."

      You must not binge drink.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
  2. Re:Challenge/response tunneled inside of SSL? by Seumas · · Score: 4, Insightful

    I recently checked out the two podcasts where he went into extensive detail on SQRL and he made it pretty clear that he isn't looking to make money on this concept if it were to take off and that he "doesn't really even have time to do much with it". He presented his idea, documented it, opened up some discussion about it and a forum for people to discuss it in and left it at that. Say what you may about him, but I don't get any sort of "erhmagerd, I'm gonna get rich off this" going on here. I'm sure if clear flaws are demonstrated to him, he'd readily discuss them and admit them when they were uncovered.

  3. I have a better idea by WaffleMonster · · Score: 4, Insightful

    The endless parade of cheap hacks needs to stop. Anything less than strong bindings between session encryption and authentication is short changing everyone.

    Get browser vendors to apply the TLS-SRP patches sitting in their ticket systems.

  4. Re: Steve Gibson is a... by weedenbc · · Score: 5, Insightful

    Steve has a lot of hate coming from the traditional hacker community, some of it for good reasons. He got started in all this trying to defend himself from some attacks, and definitely made some noob mistakes. In particular, he made the mistake of lumping in penetration testers (white hats) with criminal hackers (black hats). That generated a lot of hate from the pen tester community and many labled him a fraud and never looked back. His biggest offense seems to be that he is not of, and does not participate in, the traditional hacker/pen tester community. I think it is very telling that none of his detractors are actually point out problems in his proposal for SQRL. They are relying entirely on "we all know Steve Gibson is a fraud" arguments.

    --

    "Trying is only the first step towards failure." - Homer
  5. Re:What problem? by dgatwood · · Score: 4, Insightful

    One of the main things it's supposed to address is to allow secure login from a public computer.

    Unfortunately, that entire concept is flawed for at least two blindingly obvious reasons:

    • This does not solve the man-in-the-middle attack where untrusted endpoint devices are concerned, because that problem is a fundamentally unsolvable problem. If you cannot trust both endpoints, no secure connection is possible. This is a fundamental tenet of computer security.

      In particular, if you can't trust the endpoint, you can't trust anything that the endpoint presents to you. Unless this scheme literally requires you to point your phone at the screen and authenticate every single action, there's nothing stopping someone from tweaking the content on its way to the untrusted screen so that the logout button doesn't actually log you out, but instead merely shows a fake logout screen. Then, the person who owns that untrusted computer has access to your account.

      And even if you try to patch around that with a QR code that deauthorizes the computer, there's nothing stopping someone from automatically transferring money to a bank in the Cayman Islands right before it requests that logout code, or whatever. So even in the best case, this does not really add any significant amount of trust to the untrusted device.

    • If your phone can connect to the Internet, why aren't you just using your phone for browsing, and using the computer merely as a larger display and keyboard? By doing this, the login credentials are stored in your phone's keychain, so you aren't typing a password, making that issue moot, and the control disappears when you unplug from the keyboard and screen, making pretty much all other issues almost entirely moot unless you're actually typing or viewing something sensitive.
    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  6. Re: Steve Gibson is a... by T_Tauri · · Score: 3, Insightful

    Nope, completely independent of your phone number. Each site you visit effectively has its own user identifier, unique to that site, which is generated from a combination of your master key and the website address. Unless you tell the web site some of your details all the site knows is that you are the same person as every other time you visited. Nothing stopping this being completely anonymous as long as the site does not demand personally identifiable info (eg a retail site would need your name, address and payment details or the login is pointless)