GRC's | SQRL Secure Quick Reliable Login

GRC's | SQRL Secure Quick Reliable Login

Proposing a comprehensive, easy-to-use, high security replacement for usernames,

passwords, reminders, one-time-code authenticators . . . and everything else.

The SQRL system (pronounced “squirrel”) revolutionizes web site login and authentication. It eliminates many problems inherent in traditional login techniques.

Wishing to login to an online service where an “SQRL” code appears nearby:

The user can tap or click directly on the SQRL code to login, or launch their smartphone's SQRL app, and scan the QR code. For verification, SQRL displays the domain name contained in the SQRL code. After verifying the domain, the user permits the SQRL app to authenticate their identity. Leaving the login information blank, the user clicks the “Log in” button... and is logged in. (A bit of page automation could even eliminate the need to click the “Log in” button.)

What happened behind the scenes?(This is intended to quickly inform crypto-awarereaders. Complete details are provided below.)

• The QR code presented near the login prompt contains the URL of the authentication service for the site. The URL includes a securely generated long random number so that every presentation of the login page displays a different QR code. (In crypto circles this long random number is known as a “nonce.”)

• The smartphone's SQRL authentication app cryptographically hashes the domain name of the site keyed by the user's master key to produce a site-specific public key pair.

• The app cryptographically signs the entire URL contained in the QR code using the site-specific private key. Since the URL includes a secure long random number (the nonce), the signature is unique for that site and QR code.

• The app issues a secure HTTPS POST query to the QR code's URL, which is the authentication service for the site. The POST provides the site-specific public key and the matching cryptographic signature of the QR code's URL.

• The authenticating web site receives and acknowledges the POST query by returning a standard HTTP “200 OK” with no other content. The SQRL app acknowledges the successful submission of the user-signed QR code.

• The authenticating site has the URL containing the nonce which came back from the login page via the user's smartphone. It also has a cryptographic signature of that URL, and the user's site-specific public key. It uses the public key to verify that the signature is valid for the URL. This confirms that the user who produced the signature used the private key corresponding to the public key. After verifying the signature, the authenticating site recognizes the now-authenticated user by their site-specific public key.

Summarizing this for your next cocktail party: “The website's login presents a QR code containing the URL of its authentication service, plus a nonce. The user's smartphone signs the login URL using a private key derived from its master secret and the URL's domain name. The Smartphone sends the matching public key to identify the user, and the signature to authenticate it.”