SQRL - Secure Quick Reliable Login

slides: https://www.grc.com/sqrl-presentation.pdf

This is a very thorough overview of SQRL by it’s creator.
It looks like a very interesting system. I particularly like:

  • The enitre state of a client can be saved in a QR code.
  • Each new service gets it’s own public key. Really good explanation on how EC curves allows this part of the presentation
  • Using profile names as a kind of password is an interesting idea.

What I’m not sure about is:

  • Can most people understand the difference between there master password and recovery code.
  • Site’s accepting SQRL are potentially going to have to build there own recovery infrastructure.
  • Is the user experience good enough for logins that don’t have high security requirements.

I particularly like this comment, at 32:20

SQRL gives websites no secrets to keep

This is the quickest way of explaining that you don’t have to trust the server with your identification.
Also it is possible to verify from outside the server that it has nothing that if leaked can compromise the system

1 Like