Monday, October 07, 2013

SQRL login system

Gibson Research has released a secure login system called SQRL (Secure (QR) Login - pronounced "squirrel") with a lot of very interesting and attractive properties.

The superbrief summary of SQRL is:

  • You install the SQRL software on your smartphone
  • When you visit a web site that supports SQRL, you will see a QR code next to the login form.
  • Instead of typing in your user ID and password, you scan the QR code with your phone
  • The SQRL app works some cryptographic magic (go read the web page for the details) and sends the results to the URL that's part of that QR code
  • You click the login button without typing in any name/password
  • You are securely and anonymously logged in:
    • The server doesn't know who you are (unless you provide that information separately)
    • The server will recognize you when you come back in the future
    • Other servers using SQRL will see different anonymous IDs, so you can't be tracked across multiple sites (unless, of course, you provide additional information as a part of using that site.)
    • The authentication process is out-of-bound (separate network connection, separate device, etc.) so a compromised web browser (like in a public terminal) won't see any of your login credentials

More convenient and more secure than a normal password-based login. What more could you want?

I need to read more about this (I've only read the first page of the site), but based on what I've read so far, and the fact that Gibson Research is a company that has earned a lot of trust over the years, I am very interested in this technology and would love to see it (or some similar concept) widely adopted all over the internet.

No comments: