Documentation Analysis/Audience/Curious

Revision as of 20:57, 1 July 2017 by Perlkönig (Talk | contribs)

Jump to: navigation, search

Who are they?

This includes journalists and people who just quickly want to understand what SQRL is all about. They are not necessarily technical experts, nor are they particularly motivated to adopt SQRL themselves. They want the most pertinent information as quickly as possible, and many will stop at this point.

Existing Web Copy

With SQRL (Secure Quick Reliable Login) you either tap, snap, or click a login page's QR code and YOU are securely logged in.

The SQRL system (pronounced “squirrel”) revolutionizes web site login and authentication. It eliminates many problems inherent in traditional login techniques.

This simple and straightforward SQRL protocol yields a surprising array of features and benefits:

  • Anonymous Identification & Authentication:
  • Inherent Protection From Hackers:
    • Identification vs Authentication
    • The opportunity for strong anti-phishing countermeasures
    • “Identity Lock” prevents identity change & allows recovery
    • No “shared secrets” with websites
    • Out-of-band authentication
    • No keyboard interaction
  • Protection From Hostile Authorities:
    • No third-party involvement
    • Easily scram and recover

Secure and practical anonymous identity authentication can use a first-party protocol while delivering extreme ease of use.

The LACK of third-party involvement

The use of a third-party “middleman” transfers much of the responsibility for the management of your online identity to an external facility. In an era of secret national security letters compelling the disclosure of whatever the government desires, that's a serious liability (as mentioned above), but it can also be a significant benefit: If your smartphone escapes from your control, you need only tell the third-party to cancel the phone's authentication authority and you're immediately protected from malicious use of your smartphone's identity assertion. This SQRL system concentrates ALL authentication authority into the smartphone. The benefit is that no one else has the keys to your online identity. No one. But the liability is that YOU are then absolutely responsible for maintaining the security of your online identity. Ultimately, someone has to be responsible for your identity. Should it be you, or someone else?

This is a serious issue that needed to be addressed. Our solution is to provide the user with a conceptually simple set of tools to dramatically ease the burden of assuming and managing this responsibility. As subsequent pages detail, the system provides extensive cloning, backup, local password protection and reset capability.

Three Ways to Go . . . smartphone optional:

(And we solve the XKCD problem above!) Although the original inspiration for the development of this system was a smartphone scanning a QR code on a website's login page, a small addition to that model enables two more significant modes of operation: Simply make the QR code image also a clickable link to the same URL that's encoded into the QR code. This yields three ways to login:

  • Scan the code with a smartphone: Using the model described above, a user's smartphone scans the QR code appearing on a website's login page and the user is logged into that site.
  • TAP THE CODE on a smartphone: To login to a website ON the smartphone, when the visual SQRL code is also a URL-style link (using sqrl:// as the scheme) the SQRL app installed in the smartphone will receive that link and securely log the user into the site on the phone.
  • Click the code on a desktop or laptop screen: To use the SQRL system on any desktop or laptop system, a desktop SQRL application would be installed and would register itself to receive sqrl:// links. (This is similar to the way an email program registers to receive mailto: links.) This allows the same solution to be used by users on their desktop that they are using on their smartphones. When any website offers an SQRL code the user just clicks on the code with their mouse cursor and the locally installed SQRL app will pop-up, prompt for their SQRL password, confirm the domain, and then log them in.

So what's left?

We're JUST getting started!

What we've seen so far are only the broad outlines of the solution, enough to provide an overview of the system's operation to interested parties, to perhaps convince skeptics that such a system CAN operate, and to create a foundation and interest in the further detailed pages that follow.

Among the problems we have solved to create a practical solution, are:

  • How are identities backed up and/or cloned to other devices?
  • What about logging into a website displayed on the smartphone's own browser?
  • What if the smartphone that contains my identity is lost or stolen?
  • What about password protecting logins on the phone?
  • What if the phone is hacked?
  • What about different people (and identities) sharing one phone?
  • What about having multiple identities for the same website?

There are workable solutions to every one of those problems, and more. The full implementation of the system protects the user's identities even if their smartphone is stolen and every secret it contains, becomes known.

SQRL's Identity Lock answers the question: “But what if someone, someday, DOES obtain unencrypted access to a user's identity?”

SQRL's ID Lock provides a frictionless means for securely authorizing SQRL client-mediated (“in band”) identity changes, while simultaneously preventing unauthorized identity modification.

If the worst happened, and a user's decrypted SQRL identity somehow escaped from their control, the user can securely cancel & replace their lost identity, rendering the stolen (old) identity useless.

How SQRL Can Thwart Phishing Attacks

Although the SQRL identity authentication login system does not promote itself as an anti-phishing solution, observers have hoped that, in addition to everything else it does, it might also be able to provide some relief from the classic and pervasive Internet worry over phishing. As it turns out, the SQRL authentication architecture does present significant opportunities for thwarting phishing attacks.

SQRL Commentary

  • Don Kiely's DevPro Blog: Securely SQRL Away Authentication Credentials
  • Cristian Satnic's OdeToData Blog: Time to say goodbye to usernames and passwords for website authentication
  • BraveNewCoin Blog: SQRL Revolutionizing Web Site Login And Authentication

Some of the content from here: