SQRL (Squirrel) Authentication - Bye bye usernames and passwords?
By Chris Gilbert
Distruptive technologies ocassionally come along which can make a big difference in computing. Something in the early days which I heard about last week was the SQRL authentication proposal by Steve Gibson. This proposal aims to address the extremely big problem of user and password authentication across the internet. This is a huge and annoying problem for all internet users - you must try to come up with secure passwords, whilst giving passwords to many different parties, some of who you can trust, and some of whom you can’t. The proposal is a simple idea, but it seems to work very well. 1. Website presents a QR code. 2. User snaps the QR code with their phone’s camera.3. User is logged into the website. A bit too simple? The strength comes in the implementation though - your secrets are not shared across different sites, you control your private key password at all times, and no third parties are involved. In the background, the QR code contains a URL - the app on your phone uses this URL and it’s unique token, signs a return message with the private key, and then sends that message to the URL given by the QR code. The beauty of this, is that you have out-of-band authentication, which is hard to intercept, and that the site never sees your private password, so even if the site is compromised, these details are not lost. There are probably some weaknesses, but the general idea is brilliant, and will hopefully gain the traction it deserves. For more information have a look here: https://www.grc.com/sqrl/sqrl.htm