Who are they?
These are your basic users. They want to use the system, but they may or may not have read the more detailed documentation. They should be assumed to have no technical understanding of the underlying framework. They just want the system to work and to get the help they need when things go wrong.
Existing Web Copy
The user experience:
[Image: SAMPLE SQRL Login Form]
Wishing to login to an online service where an “SQRL” code appears nearby:
- The user can tap or click directly on the SQRL code to login, or launch their smartphone's SQRL app, and scan the QR code.
- For verification, SQRL displays the domain name contained in the SQRL code.
- After verifying the domain, the user permits the SQRL app to authenticate their identity.
- Leaving the login information blank, the user clicks the “Log in” button... and is logged in. (A bit of page automation could even eliminate the need to click the “Log in” button.)
Even though it is THAT simple, it is FAR more secure than any other login solution. (We'll define exactly what “far more secure” means, below.)
Three Ways to Go . . . smartphone optional:
(And we solve the XKCD problem above!) Although the original inspiration for the development of this system was a smartphone scanning a QR code on a website's login page, a small addition to that model enables two more significant modes of operation: Simply make the QR code image also a clickable link to the same URL that's encoded into the QR code. This yields three ways to login:
- Scan the code with a smartphone: Using the model described above, a user's smartphone scans the QR code appearing on a website's login page and the user is logged into that site.
- TAP THE CODE on a smartphone: To login to a website ON the smartphone, when the visual SQRL code is also a URL-style link (using sqrl:// as the scheme) the SQRL app installed in the smartphone will receive that link and securely log the user into the site on the phone.
- Click the code on a desktop or laptop screen: To use the SQRL system on any desktop or laptop system, a desktop SQRL application would be installed and would register itself to receive sqrl:// links. (This is similar to the way an email program registers to receive mailto: links.) This allows the same solution to be used by users on their desktop that they are using on their smartphones. When any website offers an SQRL code the user just clicks on the code with their mouse cursor and the locally installed SQRL app will pop-up, prompt for their SQRL password, confirm the domain, and then log them in.
So what's left?
We're JUST getting started!
What we've seen so far are only the broad outlines of the solution, enough to provide an overview of the system's operation to interested parties, to perhaps convince skeptics that such a system CAN operate, and to create a foundation and interest in the further detailed pages that follow.
Among the problems we have solved to create a practical solution, are:
- How are identities backed up and/or cloned to other devices?
- What about logging into a website displayed on the smartphone's own browser?
- What if the smartphone that contains my identity is lost or stolen?
- What about password protecting logins on the phone?
- What if the phone is hacked?
- What about different people (and identities) sharing one phone?
- What about having multiple identities for the same website?
There are workable solutions to every one of those problems, and more. The full implementation of the system protects the user's identities even if their smartphone is stolen and every secret it contains, becomes known.
All the content here: https://www.grc.com/sqrl/userview.htm
Some content from here: https://www.grc.com/sqrl/operation.htm
Most of the content from here (servers): https://www.grc.com/sqrl/server.htm
Some of the content here: https://www.grc.com/sqrl/resources.htm
Some of the content here: https://www.grc.com/sqrl/implementations.htm
Content from here: https://www.grc.com/sqrl/feedback.htm