Secure Quick Reliable Login ● SQRL pronounced “squirrel”. ● Acronym confusion – QR no longer stands for “Quick Response” two-dimensional bar codes. Optional. ● Official (still informal) specification proposed by Steve Gibson at ● Work in progress. Still maturing.
Secure Quick Reliable Login ● Why all this? What's the purpose? – To replace usernames and passwords as the de facto standard for user authentication in websites and on-line services in general. ● Is this the end of all passwords? – No, not really. Hold that thought.
Secure Quick Reliable Login ● What's the matter with my passwords? – Nothing! ● Are they not safe? – Not with the way websites use them today. ● How's that? – Websites receive your password and try their “best” to protect it. Time and experience has proven beyond any doubt that their best is not good enough.
Secure Quick Reliable Login ● Is it perfect? – Of course not! SQRL does not intend to solve every security and privacy problem on the Internet. It is, however, an alternative which is simple to use, easy to implement and provides superior security over the long standing tradition of storing usernames and passwords on web servers across the Internet.
Secure Quick Reliable Login ● Is it compatible? – Yes! It is low friction and provides backwards compatibility. Websites that wish to support SQRL do not need to abandon usernames and passwords. They only need to offer it as an alternative.
Secure Quick Reliable Login ● Are you saying with SQRL, my personal password will never leave my local device? – Correct. It will never travel on-line – Websites cannot lose it because they will never have it. – SQRL works by using cryptographic public keys and digital signatures to prove to the website who you are. – Your password is only used locally to unlock these keys.
Secure Quick Reliable Login ● So, how does it work? – From the user's perspective, it's dead simple. 1)Have a SQRL client app installed locally. 2)Visit a website that supports SQRL. 3)You will be presented with a QR code*. * QR code might be replaced with a simple LOGIN button. 4)Click* the QR code. * When using a tablet or mobile device, just tap it. 5)In the SQRL app, type in your personal password.
Secure Quick Reliable Login ● That's it! You are now logged in. ● The SQRL application securely provides the website with your credentials.
Secure Quick Reliable Login ● Ok, seriously... what did you just do? Let's get technical. – The first time you install the SQRL app, it will create a Master Key*. *256-bit random number. – This Master Key is globally unique and is the root of your identity. SQRL application MasterKey
Secure Quick Reliable Login ● The Master Key is important, so it will never be stored in plain text. – Your local password is combined with the Master Key using SCRYPT-PBKDF to avoid off-line brute force attacks. – In order for the SQRL app to use it, you must provide your personal password. SQRL application MasterKey
Secure Quick Reliable Login ● The Master Key can also be exported into a backup in the form of a printed QR code. ● This physical backup uses even stronger SCRYPT parameters, making brute force attacks virtually infeasible*. * Attackers only get one guess every 60 seconds! SQRL application MasterKey Offline Backup MasterKey
Secure Quick Reliable Login ● Upon visiting a SQRL enabled website, the browser will be offered a QR challenge. example.com Request QR challenge Return QR challenge
Secure Quick Reliable Login ● The browser will pass this challenge to the SQRL app. SQRL App Website Request QR challenge Return QR challenge Please sign this
Secure Quick Reliable Login ● Internally, the SQRL app will combine your Master Key with the website's domain name to create a crypto public key pair that is unique to that website. SQRL application MasterKey WPrKWPuK Ed25519 example.com
Secure Quick Reliable Login ● This website's private key (WPrK) is then used to digitally sign the QR challenge. SQRL application MasterKey WPrK QR challenge WPuK Digital signature Signed QR response
Secure Quick Reliable Login ● The QR response is built using the WPuK and the QR challenge, along with the digital signature for validation. SQRL application MasterKey WPrK WPuK QR challenge Signed QR response Digital signature
Secure Quick Reliable Login ● WPrK does not need to be stored in the SQRL client, since it can be re-created on every login request. SQRL application MasterKey WPrK WPuK QR challenge Signed QR response Digital signature
Secure Quick Reliable Login ● The signed QR response is sent back to the website. SQRL App Website Request QR challenge Return QR challenge Please sign this Signed QR response
Secure Quick Reliable Login ● Using the public key it received, the website can verify the signature, which could have only been created using the corresponding private key. Website WPuK QR challenge Signed QR response Digital signature
Secure Quick Reliable Login ● If this is your first visit, the website will store the public key and probably ask for more information to sign you up and create a full account (name, address, , etc). Website WPuK QR challenge Signed QR response Digital signature Database
Secure Quick Reliable Login ● From now on, the WPuK is the identity you have established with the website. And only you, with your Master Key, can authenticate it. Website WPuK QR challenge Signed QR response Digital signature Database
Secure Quick Reliable Login ● What if I lose my Master Key? – No worry. SQRL provides an Identity Lock, which is not covered in this presentation. – In short, the website will store the unique Pubic Key (WPuK) and a couple of other values that effectively lock your identity. Only you will be able to change those keys in case the Master Key is compromised.
Secure Quick Reliable Login ● So, how is this any better than usernames and passwords? – Besides the simplicity to the end user... let's see.
Secure Quick Reliable Login ● No shared secrets. – Each website will receive its own unique public key, which all derive from your Master Key. Companies will be unable to reliably track your identity across the Internet using these keys alone. – Websites will never have your personal password, in any shape or form. Even if their databases are hacked and stolen, bad guys will not have enough information to login and impersonate you.
Secure Quick Reliable Login ● No more password management. – Your credentials will be verified using strong cryptographic signatures. There is no need to invent or manually generate passwords for each website you visit. – As a result, users are definitively discouraged from using the same weak password for every website. On the same line, there is no need to keep track of an endless list of long, random passwords.
Secure Quick Reliable Login ● No third parties involved. – SQRL is open and free, as it should be. It is independent from a centralized authority. The keys to unlock your identity are always with you and, under best practices, may never leave your device or computer. – No need to trust companies with the moral duty to keep your identity safe. Using SQRL, you become your own single point of failure.
Secure Quick Reliable Login ● Inherent protection against phishing attacks. – For in-band authentication, this protection is already baked into the protocol. The website can easily verify that the device asking for a QR challenge is the same device that sends the signed QR response.
Secure Quick Reliable Login ● Identity Lock – Once your ID is established with a website, it will be locked with extra crypto keys and some very clever use of this technology. If the Master Key is compromised, or if the website's database is stolen, in either case, bad guys cannot change your identity and account recovery is guaranteed. For the sake of not over-complicating this introduction, the ID lock is not explained in this presentation. More details here:
Secure Quick Reliable Login ● Identity Lock – Account recovery does not need an external medium, such as loops, or phone SMS messages. The process is natively supported by the protocol itself. For the sake of not over-complicating this introduction, the ID lock is not explained in this presentation. More details here:
Secure Quick Reliable Login ● Can I use it now? – There are currently no client nor server implementations ready for production use. – The open source community is giving its first steps into trial implementations. – As an open standard, any website or company will be able to support it.
Secure Quick Reliable Login ● Where can I read more? – SQRL was proposed by Steve Gibson, and a complete detailed explanation can be found at his website: