38

I just came across https://www.grc.com/sqrl/sqrl.htm

With Secure QR Login, your phone snaps the QR code displayed on a website's login page . . . . and YOU are securely logged in.

This seems like it would be pretty awesome - one of the problems that I can think of is if the QR reader is compromised, to display www.google.com instead of www.nsa-super-secret-place.gov/123. What other problems does this system have?

Wayne Werner
  • 1,755
  • 3
  • 15
  • 20
  • 1
    I don't have the rep to post an answer here, so as comment: As ajedi32 says most answers are severely outdated. Regarding phishing the sqrl protocol could be much safer than passwords as browsers could flag sqrl login codes not belonging to the site you are on as a problem, without knowing your sqrl identity or anything. With passwords that is impossible as there is no standardized way for the browser to know for which site a password you enter is meant. – JanKanis Mar 04 '16 at 16:54
  • 2
    FYI, this idea has surfaced again: [authentiq](http://authentiq.com) – NH. Sep 17 '18 at 20:06

7 Answers7

39

Overall, the protocol does not appear to increase security over existing technology. If you are looking for the best way to protect your identity online, this is without question not it. But let's go over the pros and cons:

Advantages

It's impossible to "share" a password in the narrow sense that a malicious website can't use the authentication provided to one site to log in to another site.

A brute-force attack against the authentication token is not feasible.

Credentials are not stored on your computer. This protects you against a small subset of workstation-directed attacks. Specifically, you're protected against attacks that steal your password from your computer. You are not protected against any sort of session hijacking or browser-takeover attacks, though, and you are now also susceptible to phone-related attacks. More on that later.

Disadvantages

This technique is dangerously susceptible to MITM attacks and social engineering. Probably more so than any other authentication scheme in use, including passwords. The authentication step and the login initiation step are inherently disconnected in the sense that the phone will correctly authenticate against any presented QR code, no matter how or where it gets presented to the user.

So, for example, a phishing site can display an authentic login QR code which logs in the attacker instead of the user. Gibson is confident that users will see the name of the bank or store or site on the phone app during authentication and will therefore exercise sufficient vigilance to thwart attacks. History suggests this unlikely, and the more reasonable expectation is that seeing the correct name on the app will falsely reassure the user into thinking that the site is legitimate because it was able to trigger the familiar login request on the phone. The caution already beaten in to the heads of users regarding password security does not necessarily translate to new authentication techniques like this one, which is what makes this app likely inherently less resistant to social engineering.

This technique combines both authentication and identity into a physical object which is frequently lost or stolen. In this sense it's more like a passport rather than a password. Anyone in possession of your phone is suddenly exclusively in possession of your identity: not only can the attacker impersonate you, but without a second copy on a second phone (unlikely), now you have lost the ability to identify yourself. Authentication keys are not revokable, so without out-of-band recovery from each and every site, you cannot recover your identity. And even if out-of-band recovery exists, when confronted with two users, one with possession of the identity and one without, it may be difficult to see why the site operator should trust you.

This technique combines all your authentication tokens into a single key unless you manually create others. This makes your one key an extra-juicy target for attackers. Furthermore, the key is stored on your phone, which devices have typically had laughably porous internal security. Combining unusually juicy targets with substandard security does not make you safe.

Alternatives

The most problematic aspect of this scheme is how poorly it compares to the available alternatives.

The most secure universally-accepted option today is lastpass, keepass, and other such browser-integrated password systems. In particular, client-side encryption alleviates the need to trust any third party. And more importantly, browser integration makes phishing practically impossible. LastPass or KeePass will only fill the password if served from the correct domain, which means that if presented with a malicious site, the user won't have access to his password.

Furthermore, LastPass recently added a feature which nags users to change passwords that are not globally unique. This helps prevent password re-use, which means the primary benefit of Gibson's technique can easily be gained using this tool today on existing sites, without the added insecurity his scheme implies.

Existing second-factor authentication schemes which use phones or similar devices help protect user logins today already do so in such a way that doesn't make you immediately vulnerable to identity theft if your device is stolen. The added security of two-factor authentication lies in the fact that neither the device nor the password can be used if stolen without the other. Gibson's technique is largely resistant to being included in a two-factor scheme, which makes this level of protection unavailable.

TL;DR:

Gibson's authentication technique does not create sufficient benefit to overcome the additional security costs that it also imposes. These costs are a fundamental part of the scheme itself and cannot likely be worked out without scrapping the whole design.

You could argue that it's better than nothing, but you can't argue that it's better than anything we already have.

Gibson's Updates

Gibson recently announced some additional protection against phishing because this has been a major criticism. Their protection is this: If you're NOT using the QR codes, cell phone, etc., and instead have an authentication agent on your system (in-browser, for example), then the server can check to make sure that the authentication response comes from the same IP as the authentication request. This is good and well, but the whole purpose of this protocol is move your identity to your cell phone. If the only safe way to use the protocol is to not use it's core feature, then perhaps we should re-think what we're trying to accomplish.

Theoretically you could continue to use your cell phone if (and only if) your cell phone knew that it was using the same IP as your computer. Which, of course, it can't know because it doesn't know your computer's IP address.

A Better Solution

As stated before, if the authentication measure is in your browser, then the whole phishing problem is immediately solved with no effort or verification on the part of the user. Even the least capable user can't be tricked into authenticating to the wrong site because the site's authentication token is associated with the domain name, and the browser won't allow authentication to the wrong domain. This is a technique already in use today, is completely automatic, and does not require the site's cooperation or any intelligence on the part of the user.

This method can be strengthened by requiring a second authentication factor (such as a time-varying key on a cell phone) which, again, is already available and in use today, which protects you (most notably) against screw-ups on the part of the destination site or company.

As for concerns about browser-side authentication being vulnerable to client-workstation attacks: while the is true, it's also true that if your browser is compromised, then no usage of that browser is safe, no matter what authentication mechanism you use. Malware authors can (and already do) wait for you to authenticate on your own using your super-secure technique, and then silently send the necessary traffic to "own" your account, all without you seeing anything amiss. Neither SQRL nor any other authentication system can protect the user of a compromised browser, any more than door locks can protect you from a house fire. Buying fireproof locks is not a solution.

Where Next

If you're looking for an absolute guarantee of protection from impersonation, then look at the Fido U2F token. This standard shines where SQRL falls short, and gives you guaranteed immunity to MITM (e.g. phishing) attacks. It does so by authenticating not just the user, but also the channel, so you're guaranteed that (a) your account can't be authenticated without the token, and also (b) your token can only be used to authenticate a connection to the machine it's attached to. See this answer for more information.

tylerl
  • 82,665
  • 26
  • 149
  • 230
  • 1
    About the first point: as far as I understand, this was thought about and one option is to let the website on which you are being authenticate being responsible for the redirect. So, upon login, you are redirected to the real bank's page, not the attacker. About the second point, the same happens today with users of tools like LastPass. Unless you setup some protection mechanism (PIN, for instance), all your passwords are also stolen. Why can't the same be true for SQRL? Also, as far as I understand from the spec, the user can backup his identity even on paper (as a QR code). – jpkrohling Oct 11 '13 at 09:29
  • 7
    And about the third point: the same happens with most users that don't use a password manager, by simply using a single username/password in several websites. Or, with users of password managers, whose "identity" is spread on several websites, but stored in one single location (LastPass' servers, 1Password database, and so on). So, it's not really a SQRL flaw. All in all, the more I read about SQRL, the more I see the benefits of it comparing to the current alternatives. Say that you say about Steve Gibson, but SQRL really seems like a good alternative to me. – jpkrohling Oct 11 '13 at 09:33
  • 3
    *"The caution already beaten in to the heads of users regarding password security does not necessarily translate to new authentication techniques like this one. . ."* This is an excellent point, and the battle has already been lost to marketing. QR codes are seen as an easy way to get things done, not as a potential attack vector. Username/password pairs at least were FIRST used as an authentication mechanism, not a marketing tool. – Jonathan Garber Oct 11 '13 at 13:51
  • 2
    @jpkrohling: With regard to password managers, I would guess that most users of such software do NOT store their master password on their mobile device, precisely because they are aware of how dangerous that is. I have one physical copy of my master password in a secure location, but no electronic copies. The attacks that would grant access to my master password are different from those that would compromise a site password, and are far less likely. (Primarily because attacking my password database would involve attacking me personally, rather than a large compromised site.) – Jonathan Garber Oct 11 '13 at 13:59
  • @JonathanGarber, not sure I follow. I use LastPass on my phone, and I can create a password there that will be sync'ed into my browser's plugin. I understand that LastPass uses the master password as key to encrypt my data, then uploads and syncs it. This means that my master password *is* on any device that I use LastPass (or any other password management tool). So, I wonder how you store your passwords into a password manager without storing your master password there. And if your password manager doesn't uses your master password to encrypt your data, then it sounds even worse to me. – jpkrohling Oct 11 '13 at 16:07
  • @jpkrohling: So far as I understand it, password managers derive the key from the master password and then encrypt the vault using this key. It's not necessary to store the key, as it can (and should) be recomputed each time the vault is accessed. If you mean that the key is present in device memory (however temporary that may be), then yes, that's true, but it's kind of irrelevant. – Jonathan Garber Oct 11 '13 at 16:53
  • 3
    @jpkrohling Neither LastPass nor KeePass stores a master password anywhere. It's used to unlock your password database, but it isn't stored. This is fundamentally different from having a single key which is, itself, used everywhere. – tylerl Oct 11 '13 at 16:55
  • 2
    @jpkrohling WRT redirecting the user to the correct site on authentication: this is fundamentally impossible with SQRL because authentication is out-of-band. You'd instead need a browser plugin or some other client-side agent to handle the redirect, which then defeats the whole purpose of having a QR code. – tylerl Oct 11 '13 at 16:57
  • _"a phishing site can display an authentic login QR code which logs in the attacker instead of the user."_ This issue is mitigated by a SQRL client's option to require that the SQRL server only validate the original requester if it is connecting from the same IP address, making phishing practically impossible. – Joshua Tacoma Oct 12 '13 at 23:29
  • 1
    @JoshuaTacoma .. you mean the web request needs to come from the same IP as the phone that does the authentication? Unless the phone is on wifi, and also on the same network as the worksatation, and the network uses SNAT to a single gateway IP, then authentication will always fail. A bad design plus occasionally-effective workarounds does not make a good design. – tylerl Oct 13 '13 at 04:55
  • @tylerl, ok, but just to be more clear about how this works, "sqrlopt=enforce" is optionally specified by the SQRL client during authentication, not by default. Also, it's possible for the SQRL client to execute on the same machine as the browser (so you don't need multiple phones to authenticate from a phone, or any phone at all to authenticate from a desktop) and this would make "sqrlopt=enforce" very effective. – Joshua Tacoma Oct 14 '13 at 11:44
  • Could you elaborate about your phishing site attack? (I think I puzzled together how this is supposed to work from the comments, but it would be better clearly mentioned in the answer.) – Paŭlo Ebermann Oct 18 '13 at 22:32
  • 1
    @PaŭloEbermann You visit a phishing site pretending to be your bank. The phishing site visits your bank and gets a SQRL image, and shows that image to you. You scan the image with your phone and log in. The phishing site is now logged in to your bank. None of the mitigation options presented originally (or since then) do anything to mitigate this risk. – tylerl Oct 18 '13 at 22:53
  • 1
    I still don't see how this is any worse than something like LastPass, or the current solution of users using the same password or set of passwords for nearly every site. Isn't it just as easy for your LastPass password database and master password to be stolen as it is for your SQRL master key to be stolen? And if your SQRL master key is stolen, the ["Identity Lock"](https://www.grc.com/sqrl/idlock.htm) feature of SQRL would allow you to recover your account anyway. (The same can't be said of a stolen LastPass password database.) – Ajedi32 Dec 22 '14 at 19:52
  • 1
    (cont.) And as for Phishing, the ["same-device"](https://www.grc.com/sqrl/phishing.htm) login feature of SQRL seems just as good as LastPass, and better than the status quo of non-unique passwords. Heck, even the "cross-device" QR solution is better than the status quo, since phished SQRL credentials can only be used once, as opposed to non-unique passwords, or even unique passwords which can be used until they are changed. I just don't see how this is nearly as bad as you make it sound... – Ajedi32 Dec 22 '14 at 19:56
  • @Ajedi32 The "same device" mechanism can provide phishing protection if (and only if) it's browser-integrated and directly retrieves the hostname without user interaction. But the original design (QR codes and all that) is the wrong direction. – tylerl Dec 22 '14 at 21:43
  • @tylerl I wouldn't say wrong direction. As I explained, SQRL is still vastly better than current password-based authentication schemes in practice. The lack of idiot-proof phishing protection when using the cross-device method is a definite disadvantage when compared to FIDO or even LastPass, but compared to the status quo it's still definitely a step in the right direction IMO. – Ajedi32 Dec 22 '14 at 22:00
  • @Ajedi32 Suggesting we adopt SQRL because it's better than unmanaged passwords is like saying we should all commute to work on unicycles because they're faster than pogo sticks. If you're going to put your time and effort behind a solution, you don't pick a mediocre one simply because it's better than a horrible one. – tylerl Jan 09 '15 at 06:04
  • @tylerl The problem with that analogy is that we don't have any better solution at the moment. Sure there's UAF and U2F, but since those solutions require browser support they are still a long way away from being supported widely enough to be viable as a primary authentication mechanism for the web. SQRL's major advantage is that it can be implemented now, with no action necessary on the part of browser vendors. And if it *does* become widely used, browser vendors can get involved later to add additional security measures, like "same-device" login. – Ajedi32 Jan 09 '15 at 14:53
  • It’s not vulnerable to MTM attacks. He explains how it works in a video on the grc site. In any case, all your arguments disappear if you use a nonce the first time because the MTM doesn’t have that part. – Engineer Sep 10 '21 at 00:18
19

SQRL certainly is not without flaws, but it's certainly superior to most primary authentication solutions widely used on the web today in terms of security and (and this is important) usability. Allow me to explain.

Misconceptions

First, let me clear up a few of the misconceptions present in some of the other answers on this question. Many of these answers are outdated, and were written before changes to the SQRL documentation which address the problems presented in them, while others seem to place undue emphasis on flaws in SQRL which are also present in many other widely-used existing authentication solutions, while ignoring its benefits. So let's clear up a few misconceptions here, shall we?

Myth: SQRL requires scanning QR codes to work

This simply isn't true. QR codes are a convenience which makes SQRL easier to use on computers that the user hasn't set up SQRL client software on. SQRL's website states the following:

Three Ways to Go . . . smartphone optional:

Although the original inspiration for the development of this system was a smartphone scanning a QR code on a website's login page, a small addition to that model enables two more significant modes of operation: Simply make the QR code image also a clickable link to the same URL that's encoded into the QR code. This yields three ways to login:

  • Scan the code with a smartphone: Using the model described above, a user's smartphone scans the QR code appearing on a website's login page and the user is logged into that site.
  • TAP THE CODE on a smartphone: To login to a website ON the smartphone, when the visual SQRL code is also a URL-style link (using sqrl:// as the scheme) the SQRL app installed in the smartphone will receive that link and securely log the user into the site on the phone.
  • Click the code on a desktop or laptop screen: To use the SQRL system on any desktop or laptop system, a desktop SQRL application would be installed and would register itself to receive sqrl:// links. (This is similar to the way an email program registers to receive mailto: links.) This allows the same solution to be used by users on their desktop that they are using on their smartphones. When any website offers an SQRL code the user just clicks on the code with their mouse cursor and the locally installed SQRL app will pop-up, prompt for their SQRL password, confirm the domain, and then log them in.

Myth: The SQRL master key is stored completely unencrypted and unprotected on your phone

I'm not sure why some people made this assumption, as it seems obvious to me that this would not be the case. The SQRL master key is protected about the same way you'd protect a password database: with a strong master password. Stealing a user's phone would not automatically give you access to their online identity unless you also had their master password. More details on key management are explained in the page on SQRL Client-Side Key Management on SQRL's website.

Myth: If your master key is stolen, you can't change your login credentials

This is also false. SQRL provides a built-in way to allow the genuine account holder to update their login credentials in the case of a compromised key. This feature is known as Identity Lock:

“Identity Lock” prevents identity change & allows recovery: This is also significant enough to deserve its own detailed description page: “The identity lock protocol” (page 4 in the link block at the bottom of this page.) Once a user's identity has been established with a web server, the SQRL client is unable to change that identity. This means that if the worst happened, and a very weak and easily guessed password was used, or a user's phone or desktop was hacked to obtain their identity master key and password, no malicious third party can change the user's online identity to lock them out of their own online accounts. And, moreover, by then loading an a normally offline “Identity Unlock Key”, the true owner of their identity can retire and replace their lost or stolen online identity to essentially take it back from any attacker, rendering their previous identity useless.

Plausible: SQRL is more vulnerable to phishing than existing authentication solutions

Okay, so this is actually partially true. When using SQRL by scanning a QR code, there is indeed very little protection against phishing. Unless the user is careful to ensure that the website shown in their browser's URL bar is the same as the one displayed by the SQRL Client app, they could be authorizing a login session for the attacker. This is still better than passwords, where they'd be giving the phisher permanent access to their account (and any other accounts they have elsewhere which share the same password) until they change their password, but not as good as other solutions which integrate with the user's browser like U2F keys, WebAuthn, client certificates, and (under certain conditions) password managers.

However, when you're using an SQRL client on the same device that you're logging in with, SQRL does have some protections against phishing in place. These protections are explained on SQRL's website, under the section on How SQRL Can Thwart Phishing Attacks. There's also the possibility of integrating SQRL with browsers (possibly through plugins) to provide much stronger protection against phishing attacks; on-par with solutions like WebAuthn and client certificates.

Overall I'd rank SQRL on about the same level as password managers for phishing protection. It has the potential to provide strong protection against phishing when installed on the same device the user is logging in on, but provides minimal protection when installed on a different device.

Comparison with Alternatives

Now let's compare SQRL with existing widely-used authentication solutions.

Passwords

SQRL is vastly superior to passwords in many ways. Not only is it more convenient to use once set up, since users don't have to worry about remembering or retyping multiple different passwords for each site, but it also protects against password reuse, weak passwords, keylogging, and, to some extent, phishing.

Disadvantages SQRL has compared to passwords are that it's more difficult to implement for website operators, not as widely-used, requires more time to set up initially, requires some effort to transfer to a new device, and provides a single point of failure for all the user's accounts if the master key is stolen (though this last point is also the case for passwords if a user uses the same password on every site).

Password Managers

In many ways, SQRL is very similar to password managers. They both provide a single, centralized trust anchor which serves as a sort of authentication proxy between users and individual services. There are a couple ways though that SQRL is superior to password managers.

The main advantage I think SQRL has over password managers is that it's easier and more secure to use on untrusted or only partially trusted computers. For example, say a user wants to login to a website using a computer at a public library. With a password manager, he would have to either access the password for that site on his phone and retype it into the computer manually, or download his password manager and password database onto the library computer, unlock the database using his master password, then log in. The first scenario is inconvenient for the user, and exposes the user's plaintext password for that one site to the untrusted computer (and to any malware on the untrusted computer, including keyloggers). The second scenario is even worse, as it's both inconvenient, and exposes the user's entire, decrypted password database and master password to the untrusted computer. With SQRL, the user would only have to scan a QR code on the untrusted computer's screen, which is much more convenient for the user, and only exposes a single login session (with no reusable credentials like a password) to the untrusted computer.

Another advantage SQRL has over password managers is that it's easier to recover from the worst-case scenario: the user's password database / master key being stolen. With a password manager you'd not only have to change your password on every site, you'd also have to worry about the attacker changing your passwords (possibly locking you out of your account). The attacker also has the advantage of possessing a list of all the sites you have an account on, making exploiting the theft of a password database that much easier. With SQRL, having your master key stolen is still a terrible situation to be in, but the attacker has no list of sites you have an account on (having to instead guess), and cannot change your password to lock you out of your account. Once you load your identity unlock key it's also a bit more convenient to change your login credentials on each site, as the SQRL client has the ability to do it for you automatically for each site you visit upon login. (No need to go through any "change password" forms.)

Finally, I think SQRL has one small but important advantage over password managers in regards to its goal of replacing passwords entirely, and that is that sites have the option of enforcing use of SQRL over traditional passwords. So long as users still have the option of poor security, reusing the same password on every site, that is something that will still happen. If SQRL starts gaining widespread adoption, sites can actually start phasing out the use of passwords. That can't be done with password managers, as they rely on the the use of passwords in order to work.

In terms of disadvantages, I actually can't think of a situation where SQRL would necessarily be worse than password managers in terms of security. The main disadvantage SQRL has is that it requires support from website operators, whereas password managers require no special support from existing services. This means you can start using password managers right now, but SQRL will have to wait until sites implement it before it can be used. This is a significant barrier to adoption.

Client Certificates

The primary advantage SQRL has over client certificates is one of convenience. Client certificates are currently complicated to set up, difficult to transfer between computers, and have privacy issues when the same cert is used on different sites. While theoretically we could build a system using client certificates which would solve these issues, there would also be the problem of poor integration with website UIs and web servers, which are more difficult problems to solve. I won't go into too much detail here, as there's already an excellent article on the usability issues of client certificates on browserauth.net.

In terms of security, client certificates have the disadvantage of requiring the involvement of a CA. This is (potentially) expensive, and requires trusting the third party CA. Furthermore, if you choose to ignore CAs and instead self-sign your certs, you have the issue of certificate revocation to deal with. Client certificates also have the same security and convenience issues as password managers when users want to log in on an untrusted computer; they have to transfer their cert to the untrusted computer, which is both inconvenient and potentially exposes their master identity to malware on that computer.

In short, until someone comes up with a better, user-friendly solution using client certificates which solves (at least most of) these problems, I don't believe client certs are a serious competitor to SQRL (or, for that matter, to passwords).

2-Factor Authentication

Just thought I'd mention this: SQRL and 2-factor authentication are not mutually exclusive. SQRL is a replacement for the first factor in 2FA: passwords. Other additional measures like OTP codes or FIDO U2F keys can still be used with SQRL.

WebAuthn

Now here's where things get interesting. WebAuthn is a new (well, newer than SQRL) W3C standard designed to provide a standard API websites can use to authenticate users with public keys on the web. Just like SQRL, it supports using the user's phone to authenticate a login session on an external device, in addition to a few other authentication methods (such as 2nd factor security keys).

This is where SQRL finally meets its match, at least from a security perspective. Not only does WebAuthn provide all the same protections against password reuse, weak passwords and keylogging that SQRL does, but it also provides even stronger protection against phishing by integrating with the user's browser even when authorizing a login session for a PC the user has not previously set up the authenticator's client software on. This is possible because in that situation WebAuthn communicates with the user's browser directly using two-way communications protocols like Blutooth or NFC instead communicating with the website the user is using via a one-way QR code.

From a usability perspective, things are a bit more complicated. On the surface at least, WebAuthn wins again. Because it is a W3C standard which already has implementations in multiple browsers, in theory users can immediately begin to use WebAuthn without needing to install any third party software. In practice though, most existing WebAuthn implementations focus on its use as a form of second factor authentication, or as a way of re-authenticating a user who previously signed in on the same device via a different login method (usually a password). As a primary authentication factor, WebAuthn is still rather lacking in viable implementations.

Other minor considerations include the fact that SQRL has a built-in method for rotating the keys of accounts in the event of a stolen master key, whereas WebAuthn relies on websites to implement their own system for revoking keys, and the fact that WebAuthn requires certain optional hardware (like Bluetooth or NFC) in order to authenticate to a remote machine, whereas SQRL can work on any machine with a working display.

Overall, I think it's very likely that WebAuthn will eventually render SQRL obsolete. SQRL may have a bit of breathing room for now, but WebAuthn has much stronger backing from browser vendors, site operators, and other third party organizations (like the W3C). Once WebAuthn gets a couple implementations enabling its use as a primary authentication factor, I expect it will begin to take over the web very quickly.

Caveats

SQRL is still under active development, so the material presented in this answer is subject to change. As development continues, I expect that some of the vulnerabilities and uncertainties in this answer will be addressed. Most of the discussion is currently taking place on the SQRL newsgroup over at grc.com.

Ajedi32
  • 4,695
  • 2
  • 26
  • 61
13

SQRL is a convenient solution to the problem of the username/password paradox. (i.e. the convenience/security tradeoff) without using a third-party. It provides a simple alternative to the most popular authentication model (Username & Password), with virtually no compromise to security. It is practically just as secure of any of the common authentication models used today, so long as you are still security conscious. If you are using SQRL, it doesn't mean you can't follow best security practices such as combining this with multi-factor authentication for important accounts.

It is important to not the miss the point of SQRL. SQRL itself does not necessary provide better or worse security. If the computer/phone itself gets compromised, or the user is tricked into being phished, then this is a side-channel attack instead of a direct fault of SQRL itself. Every conventional authentication method has this problem of side-channel attacks The unbreakable one-time pad is also vulnerable to side-channel attacks such as the compromise of the pad itself, or bad surrounding security or implementations.

If you listened to the original proposal of the idea on Steve Gibson's podcast, followed by the Q&A's, many of the concerns raised on this stack thread have been answered. Also, Steve said so himself that this very "simple" and "ingenious" (his words) idea would need to be "vetted" and "hammered on" by security experts as only time will tell if this is a secure solution.

In conclusion, most of the arguments against SQRL fall outside the domain of SQRL itself, and instead are problems with humans practicing poor security. SQRL doesn't introduce new classification of problems that our traditional authentication methods already don't have.

SQRL is excellent if used appropriately by people who are security conscious. You must understand that there is always a trade-off between convenience and security, and this solution is probably the best balance of the two I have seen.

ansichart
  • 777
  • 4
  • 13
  • Thanks Ansichart. But can't existing auth solutions simply retain equal or superior security features to SQRL and then use automation to increase their user convenience? What fundamental property of SQRL's user convenience is *not* due to automation? I ask because if a user has two black-boxes that do the same thing; one labelled "Mature" and the other labelled "SQRL" and they can be both engineered/automated have the same interface/buttons on the outside of the box - what added-value does SQRL provide? – LateralFractal Oct 12 '13 at 04:06
  • It solves the problem of the password paradox without having to use a third party. – ansichart Oct 12 '13 at 04:20
  • 1
    I see. So if someone doesn't want the 3rd-party risk of single-sign-on and won't generate/store their passwords with a password manager, SQRL can step up. But if SQRL is a mobile black-box which asks for a password to unlock the master key used to regenerate/store SQRLIDs and then perform back-channel linking of client's cookie/QR session_id with server's recorded SQRLID to login - how is this a different mobile black-box from a mobile password manager with auto-login via the same back-channel; or a two-party mobile client cert plugin with auto-generation & login via the same back-channel? – LateralFractal Oct 12 '13 at 04:41
  • I have done some major editing of my original post after some second considerations and closer reading to what others have been saying, as I may have over-hyped it. I suppose having the mobile phone being the central key shifts the problem, and would would make it more important to have stronger security on your phone. Steve Gibson also brings this up in the Q&A podcast. – ansichart Oct 12 '13 at 05:36
11

As usual, take anything related to Steve Gibson with a truckload of salt. Obligatory attrition.org link.


Let's have a look at Gibson's description of his protocol.

Gibon's rubbish

  • The QR code presented near the login prompt contains the URL of the authentication service for the site. The URL includes a securely generated long random number so that every presentation of the login page displays a different QR code. (In crypto circles this long random number is known as a “nonce.”)

  • The smartphone's SQRL authentication app cryptographically hashes the domain name of the site keyed by the user's master key to produce a site-specific public key pair.

  • The app cryptographically signs the entire URL contained in the QR code using the site-specific private key. Since the URL includes a secure long random number (the nonce), the signature is unique for that site and QR code.

  • The app issues a secure HTTPS POST query to the QR code's URL, which is the authentication service for the site. The POST provides the site-specific public key and the matching cryptographic signature of the QR code's URL.

  • The authenticating web site receives and acknowledges the POST query by returning a standard HTTP “200 OK” with no other content. The SQRL app acknowledges the successful submission of the user-signed QR code.

  • The authenticating site has the URL containing the nonce which came back from the login page via the user's smartphone. It also has a cryptographic signature of that URL, and the user's site-specific public key. It uses the public key to verify that the signature is valid for the URL. This confirms that the user who produced the signature used the private key corresponding to the public key. After verifying the signature, the authenticating site recognizes the now-authenticated user by their site-specific public key.

The biggest thing that jumps out at me is the use of a "master key" by the user. If I am reading the protocol correctly, that single master key controls the user's entire online identity...

Presumably, this master key is stored in the user's phone in an application database. Which opens up a huge gaping attack vector in the form of malware designed specifically to steal the master key.

So let's compare the difference between what happens when a password gets compromised vs what happens when the master key gets compromised. Assuming that you are following good password practices of long, unique and highly random passwords stored in a password manager, all you have to do is change a single password if it gets compromised. What happens if your master key gets compromised? You will have to somehow get all the sites you authenticated with to recognize that your master key has been compromised. The only problem is, since you do not have any other means to authenticate with the site such as usernames or email addresses, how will the site know that it is in fact you that is trying to revoke the master key?

Like anything that comes out of Gibson, this SRQL scheme is highly flawed and offers no benefits over conventional methods.

  • 1
    I think this is actually the first time I've come across Gibson's work. It seems that he makes it through that step that most developer/thinkers do of, "Oh hey, that would be super cool and totally work!" except he forgets to take a look around and realize that he's left the back door wide open. Oops! – Wayne Werner Oct 08 '13 at 16:59
  • 2
    @WayneWerner this is true, if most developers were drunk 12 year olds from the 1800's that still believed in the magikal power of unicorns and happy thoughts. – AviD Oct 10 '13 at 15:31
  • 1
    > So let's compare the difference between what happens when a password > gets compromised vs what happens when the master key gets compromised. > Assuming that you are following good password practices of long, > unique and highly random passwords stored in a password manager, all > you have to do is change a single password if it gets compromised. Aren't you comparing apples and oranges? Isn't the SQRL mater password more equivalent to the password on the password manager you are espousing? –  Oct 10 '13 at 14:58
  • 25
    "If you're following good password practices" is a huge caveat, and most Netizens don't do it. Part of SQRL's promise is to reduce users' need to stay on top of best practices. Further, the SQRL spec will call for the master key to be stored encrypted with a master password and will be impossible to brute force (tuned to take ~60s for one try). Getting the password will often be non-trivial since SQRL promotes out-of-band authentication (ie, keylogging a hacked machine won't always help you). So while the consequences of _full_ compromise are high, the likelihood of compromise is somewhat low. – spiffytech Oct 10 '13 at 17:43
  • 32
    SQRL may yet have flaws that need addressing, but it [claims](https://www.grc.com/sqrl/sqrl.htm) to solve a number of problems found in existing approaches to authentication, and any criticism of SQRL that asserts it "offers no benefits" should include rebuttals of these claims instead of expecting the assertion to be blindly accepted. – spiffytech Oct 10 '13 at 17:44
  • > how will the site know that it is in fact you that is trying to revoke the master key? One thought on this is how do you ever do this if you use public/private key encryption? One way to potentially look at it is from the perspective of an attacker why would revocation ever benefit them, so why not just allow the original owner to do revocations using the master key? – James Snyder Oct 10 '13 at 21:53
  • 1
    Revocation system is already in place if we consider using PGP for our public and master key we have a way to revoke access to old keys. Not saying this is totally durable but it is a start. I already talked about this on my website so it isn't like others have not thought of this and more. –  Oct 10 '13 at 21:34
  • 27
    > Like anything that comes out of Gibson, this SRQL scheme is highly flawed and offers no benefits over conventional methods. --- This doesn't seem to help answering the question, and I actually feel that you have problems with the technology because of who came up with it. Some of the points you mentioned as flaws are actually addressed by the "spec". For instance, SQRL itself doesn't mentions how the master key is stored, but Steve Gibson's comments about it are that a mobile client, for instance, would encrypt it with a master password using a scrypt that takes 60s on average to execute. – jpkrohling Oct 11 '13 at 09:19
  • 14
    Gibson explicity addresses the protection of the master key. – MCW Oct 11 '13 at 10:42
  • 1
    @spiffytech _"tuned to take ~60s for one try"_ this is the default scrypt strength for master key _backups_. We don't want to wait 60 seconds every time we unlock the master key on our phones, right? Instead, password verification on the phone is recommended to require only a half-second. Which is really still quite good. – Joshua Tacoma Oct 12 '13 at 23:38
  • 3
    There's nothing stopping you from using a email authentication loop with SQRL for account recovery. It makes sign up a little more involved, but you still get the benefits of only having to remember a single good password. – Lockyer Mar 21 '14 at 00:58
  • 15
    Hold on a second. You equate your SQRL master key being stolen to *one* of your LastPass keys being stolen. Wouldn't it be a better analogy to equate it to *your entire, decrypted LastPass password database* being stolen? – Ajedi32 Dec 22 '14 at 20:03
  • 2
    "unique and highly random passwords stored in a password manager" Surely this password manager has a master password, which if compromised, would be similar to someone compromising your SQRL master key. – styfle Nov 08 '17 at 14:07
  • It doesn’t store the master key, your premise is nonsense. – Engineer Sep 10 '21 at 00:13
9

I agree with the other comments to certain degree, but I do think there are some merits:

To enable SQRL for you, you have to create your master key and store it on your phone. DONE. From that second, you will be able to log into ANY website that uses "SQRL". And that would be an anonymous login - as long as you decide to not provide any further information.

That is MUCH easer than working with your own certificate; or creating explicit user accounts (probably asking you to provide a valid email address). Maybe I would not use that same master key for my banking, amazon, ... accounts - but especially for these "i would like to post something here" situations ... perfect. No more "please let google or facebook or whatever site know that you want to post here".

Elton
  • 107
  • 1
  • 1
    I'm not sure that this is much of a valid point - if you're going to allow anonymous logins then why bother with a login in the first place? A simple captcha would suffice to prevent some spam. – Wayne Werner Oct 10 '13 at 14:57
  • 6
    Because the anon login is YOU, just declining to provide any information about your identity; nobody can spoof it. – Ross Presser Oct 10 '13 at 16:02
  • It sounds almost like a half-baked re-hash of Windows CardSpace. – Xander Oct 10 '13 at 16:23
  • I didnt realize that my posting actually pointed out the REAL problem with SQRL: it opens up the door for massive spaming. You see - a new user just needs to log in using SQRL. Conclusion: you still need a "registration" process; afterwards SQRL might be a nice convenient way to log into certain web sites. – Elton Oct 11 '13 at 07:36
  • 1
    Or a captcha, if you are logging in an user which has never logged in before. – jpkrohling Oct 11 '13 at 10:11
  • 1
    "To enable SQRL for you, you have to create your master key and store it on your phone." Actually, you don't need to do that, you just need some software on your PC that can open sqrl:// URLs. – Abhi Beckert Oct 14 '13 at 21:40
  • It’s not stored on your phone. – Engineer Sep 10 '21 at 00:25
7

SQRL provides no ground breaking improvements. QR codes are an optical barcode format useful for short content distribution - nothing more.

Any "auto-login" situation that SQRL is trying to solve could simply use a client certificate stored on the mobile instead.

Hypothetically a QR barcode on a HTTPS page could return a server signed or encrypted version of the client certificate (or a similar credential) as previously known by the server, but why? For credential expiration? The site could simply reject an expired credential directly.

So the biggest security problem I have with this protocol is: Reinventing the Square Wheel.


Update

Reading new answers and comments, I'd like to point out how easy it is do something similar to SQRL through simple automation of mature existing technology:

  1. Website asks any CAPTCHAs or similar "I'm a human" verification. Once the user has complied (POSTed), the website returns a HTTP 403.7 - Client Certificate Required or a vanilla 403 error.
  2. Custom 403 pages are easy enough to setup and can be quite pretty and user friendly. Could even bootstrap the functionality required below in a manner similar to the "Adobe Reader required" prompts on many websites.
  3. Custom 403 page includes some markup that a custom browser plugin reacts to. Let us call this custom plugin 'S403L compliant' in the spirit of 'SQRL compliance'.
  4. The S403L plugin generates a standard client certificate, which is secured in the usual encrypted browser cert cache (or a third-party cache if your browser's keystore encryption sucks). The plugin creates a standard CSR for the client cert and sends the CSR to the URL specified in the 403 markup. (e.g. <s403l ref="https://www.example.com/S403L" />)
  5. The S403L compliant server use the user's session_id (retrieved from cookies or query string) to create continuity with Step 1 and then returns the CSR as signed by the server. General server authentication will accept any client certificate that was signed by the server (and thus met the registration criteria demanded in Step 1).
  6. The S403L plugin stores that signed client certificate in the browser's cache. From then on, the standard browser without plugin assistence can "auto-login" into the server in the standard SSL/TLS fashion until the certificate expires.

The "mobile" and "visual" nature of SQRL is something of a misdirection as it doesn't provide detached two-factor authentication and you now need two computers to navigate the internet instead of one. Unless you point your desktop's USB webcam at its own monitor.

The trade-offs between passwords and certificates is well defined in the security community: Passwords fit in a human brain; certificates don't fit in a human brain (usually) but can have crazy entropy and good PKI management features (expiry, revocation, policy extensions, etc). SQRL fits cleanly into neither camp; and if it's drifting towards the less-human more-computer camp as it seems to be - it has years of development and security analysis to repeat existing X.509 features.

LateralFractal
  • 5,173
  • 18
  • 41
  • > could simply use a client certificate stored on the mobile instead. --- except that this technology exists for years both on mobile and desktop, and it's not as widespread as one would wish. And opposed to the client certificate, SQRL doesn't requires you to prove your real identity to create a "SQRL Identity". If you so wish, you can create as many identities as you want. This means that the advantage comparing to Client Certificates is that you have anonymity from the auth protocol's side. – jpkrohling Oct 11 '13 at 09:25
  • @jpkrohling It is a common misconception that client certificates require identity disclosure to use. That is a requirement of commercial signing authorities to use their globally interchangeable trust chains. In practice a client cert can simply be an anonymous [CSR](http://en.wikipedia.org/wiki/Certificate_signing_request) created by the client and signed by a specific server, after meeting whatever criteria are desired (CAPTCHAs, prior account, etc). Certificates can also have a built-in expiration. `Type 40-L` QR barcodes could dispatch/store the 1KB X.509 client cert if desired. – LateralFractal Oct 11 '13 at 10:13
  • Ok, true, my bad. From this perspective, the client (mobile app, for instance), could be generating a client cert for each website that the user is registering. This sounds more expensive than hashing some information, but could be an interesting solution. In any case, I still don't agree with your claims that SQRL is worse than useless. – jpkrohling Oct 11 '13 at 10:25
  • I was perhaps harsh on that wording and will remove it. But I don't see SQRL as anything other than more sexy way to distribute negotiated client credentials; and one that hasn't resolved some of the subtle problems addressed by mature authentication schemes. A password manager is tedious (I don't bother with browser integration because I'm a paranoiac) but I know that only I and one website share each one-shot password in my encrypted key-store. I don't have to worry about fancy new hash/auth schemes, just the quality of the PRNG/TRNG that my password manager uses to generate passwords. – LateralFractal Oct 11 '13 at 10:35
  • Well, that's the difference. You are not the usual case (neither am I, or anyone on this website, I suppose). Common people use the same password over and over because generating random unique passwords is too complex for them. A "more sexy way" to generate random unique key that can be used for logging in might be the difference here, provided that they are as secure as the current best practices while being more convenient. – jpkrohling Oct 11 '13 at 10:58
  • "I know that only I and one website share each one-shot password in my encrypted key-store." Right, but the advantage of SQRL is that *only you* are storing the password. The server on the other end also has your password and they might be compromised by a rouge employee, by the NSA, or by a hacker. With SQRL you are the only person with the private key and it's up to you to decide how secure you want it to be. You don't have to ever store it on a mobile device, the QR code is just a URL and presumably would be wrapped in an tag. Just have software on your PC to handle the sqrl:// protocol – Abhi Beckert Oct 14 '13 at 21:37
  • @AbhiBeckert The nature of authentication is when the 1st party provides the 2nd party with something only the 1st party can know (a "token"). Whether this token is a site-specific password or a site-specific public key signature is irrelevant; as in both cases the 2nd party is verifying the *identity contiguity* of the 1st party. In fact SQRL is simply **a SSL/TLS session rehashed at a higher level of context**. – LateralFractal Oct 14 '13 at 22:09
  • (cont.) A TLS socket is an anonymous key exchange used in turn to exchange a symmetric key, which provides the contiguity across future packets. SQRL is an anonymous key exchange (client key pair + TLS for server) used in turn to link a server's user_id to a client's signature, which provides the contiguity across future connections. Gibson (or his supporters) have forgotten that semi-novel distribution and automation is not a discovery of a new authentication mechanism *nor supportable on that basis*. – LateralFractal Oct 14 '13 at 22:10
  • 2
    @LateralFractal who cares if it's new or not? SQRL allows user friendly authentication where the 1st party does not expose their secret with the 2nd party or any 3rd party who might have compromised the 2nd party's security. It's an attempt to solve a real world problem that, so far, nobody else has been able to solve. – Abhi Beckert Oct 16 '13 at 21:19
  • 1
    @AbhiBeckert And around and around in circles we go. If it is *not new*, then by definition the problem has been solved before. So I'll reiterate: SQRL is simply an automation and distribution channel that could have been implemented on existing standards. But then the inventor (I use this term loosely) would be contributing a tool or plugin to automate existing technology instead of the publicity benefit of a home-brew solution with their name attached. The vast semi-anonymous contributors who keep your browser and IDE afloat don't crave ego-reinforcement to extent of reinventing the wheel. – LateralFractal Oct 17 '13 at 01:15
  • To me like this answer basically reads like: "This is nothing new, it's just a combination of existing technologies. Instead, we could do this using ." Anyway, client certs have a few usability issues that SQRL does not: http://www.browserauth.net/tls-client-authentication – Ajedi32 Nov 05 '15 at 15:12
  • @Ajedi32 It's not new; and its particular combination of technologies is ill suited for security. Regarding usability as a justification for brewing your own inferior security solution - security is inherently un-user friendly (wouldn't we all love it if our front door didn't require a lock); so if your ease of use (debatable, considering I now need more devices to do less) comes at the cost of fitness for purpose; better to spend time improving the user interface of existing security technologies. – LateralFractal Nov 07 '15 at 22:44
  • The point I'm trying to make is authentication channels have been explored extensively. If the only leg SQRL stands on is usability (the other legs having been decisively broken by other _Security SE_ members); effort should be directed to enhancing the user interfaces of mature technologies. Besides, this whole usability ship has sailed on - any stakeholder asking for usability nowadays asks for federated single sign-on; with SAML and OpenID Connect being favoured. Solutions like SQRL simply can't compete given the amount of ongoing responsibilities delegated to the end-user under the scheme. – LateralFractal Nov 07 '15 at 23:07
  • @LateralFractal I actually disagree with most of points regarding the security of SQRL in the other answers here. They seem to be either outdated, or based on misconceptions about how SQRL works that were never true to begin with. Maybe that's why, to me, this answer seems to be saying dismissing the usability and security benefits of SQRL, and instead proposing an alternate solution that has security and usability issues of its own. – Ajedi32 Nov 07 '15 at 23:24
  • @LateralFractal Also, I disagree with the notion that SQRL is equivalent to a homebrew solution. SQRL is an open, public standard being worked on by a number of different people, not just Gibson. – Ajedi32 Nov 07 '15 at 23:27
  • @Ajedi32 The expert opinion on SQRL [hasn't changed](http://meta.security.stackexchange.com/a/1876/30521) in two years. Secure _your_ banking details and medical records behind it and get back to me. In any case, I'll no longer reply to comments on this thread; as it goes around and around with a few acolytes. – LateralFractal Nov 08 '15 at 05:06
  • @LateralFractal Fair enough; you're certainly free to think what you want. I maintain though that in this case "the expert opinion" is _wrong_, and I won't be convinced otherwise without a well-reasoned argument. Simply pointing to the opinions of "experts" without actually making any substantive argument is fallacious. For example, the post you linked didn't even attempt to counter the arguments listed in the original question, which explained in great detail, point-by-point, why the blog post in question was factually _wrong_. – Ajedi32 Nov 08 '15 at 05:31
4

I would like to address the first question: "one of the problems that I can think of is if the QR reader is compromised, to display www.google.com instead of www.nsa-super-secret-place.gov/123":

The master key is used as the seed into HMAC together with the website address (FQDN). So although the QR code may encode completely different URL the protocol will NOT reveal the authentication code that would normally be sent to www.google.com (in the example).

Second, many of the contributors forget about the key objectives when working this idea out:

  1. anonymity by not using 3rd party
  2. ease of use
  3. no need to type secret credential on untrusted computers

I believe the protocols addresses these in full!

However, there are compromises that actually come from the the first obectjive. If no 3rd party is involved in the authentication, how can one revoke their authentication details? Additionally, the security of the master key is an obvious concern. I envisage this to be well protected by future mobile devices in a HSM like chip. Until then, the key is just a file pin mobile device, protected by a password, though PBDKF2 ensures that it is very slow to actually brute force it.

AviD
  • 72,708
  • 22
  • 137
  • 218
  • 1
    Again,what's new about this idea? It seems to me to be a primitive variation on the now defunct Windows CardSpace. – Xander Oct 10 '13 at 20:10
  • 1
    Yes you are right about CardSpace. Then there is U-Prove also owned by Microsoft. The question is how would you use CardSpace or U-Prove on a computer that you do not trust (internet cafe or friends computer). That is what Steve added. – Vladimir Jirasek Oct 10 '13 at 20:28
  • 2
    Ah, ok, that's what I was missing. I still agree with @TerryChia that this is a non-starter without a revocation mechanism for the user keys. – Xander Oct 10 '13 at 21:03
  • 3
    @Xander There *is* a revocation mechanism for the user keys. https://www.grc.com/sqrl/idlock.htm – Ajedi32 Nov 05 '15 at 15:05