SQRL

Last updated
Secure, Quick, Reliable Login
Original author(s) Steve Gibson
Operating system Cross-platform
Available in56 languages
List of languages
Afrikaans, Arabic, Armenian, Belarusian, Bulgarian, Catalan, Chinese Simplified, Chinese Traditional, Croatian, Czech, Danish, Dutch, English, English, Canada, English, United Kingdom, Esperanto, Estonian, Finnish, French, French, Canada, French, Quebec, German, Greek, Hebrew, Hindi, Hungarian, Icelandic, Indonesian, Irish, Italian, Japanese, Korean, Latvian, Lithuanian, Malayalam, Norwegian Bokmal, Norwegian Nynorsk, Persian, Polish, Portuguese (Portugal), Portuguese (Brazil), Romanian, Russian, Serbian (Cyrillic), Slovak, Slovenian, Spanish, Swahili, Kenya, Swahili, Tanzania, Swedish, Tagalog, Thai, Turkish, Ukrainian, Vietnamese, Welsh [1]
Type secure website login and authentication
License Public domain [2]
Website https://www.grc.com/sqrl/sqrl.htm

SQRL (pronounced "squirrel") [2] or Secure, Quick, Reliable Login (formerly Secure QR Login) is a draft open standard for secure website login and authentication. The software typically uses a link of the scheme sqrl:// or optionally a QR code, where a user identifies via a pseudonymous zero-knowledge proof rather than providing a user ID and password. This method is thought to be impervious to a brute-force password attack or data breach. It shifts the burden of security away from the party requesting the authentication and closer to the operating-system implementation of what is possible on the hardware, as well as to the user. SQRL was proposed by Steve Gibson of Gibson Research Corporation in October 2013 as a way to simplify the process of authentication without the risk of revelation of information about the transaction to a third party.

Contents

History

The acronym SQRL was coined by Steve Gibson and the protocol drafted, discussed and analyzed in-depth, by himself and a community of Internet security enthusiasts on the news.grc.com newsgroups and during his weekly podcast, Security Now! , on October 2, 2013. Within two days of the airing of this podcast, the W3C expressed interest in working on the standard. [3]

Google Cloud Platform developers Ian Maddox and Kyle Moschetto mentioned SQRL in their document "Modern Password Security for System Designers". [4]

A thesis on SQRL analyzed and found that "it appears to be an interesting approach, both in terms of the envisioned user experience as well as the underlying cryptography. SQRL is mostly combining well established cryptography in a novel way." [5]

Benefits

The protocol is an answer to a problem of identity fragmentation. It improves on protocols such as OAuth and OpenID by not requiring a third party to broker the transaction, and by not giving a server any secrets to protect, such as username and password.

Additionally, it provides a standard that can be freely used to simplify the login processes available to password manager applications. More importantly, the standard is open so no one company can benefit from owning the technology. According to Gibson's website, [2] such a robust technology should be in the public domain so the security and cryptography can be verified, and not deliberately restricted for commercial or other reasons.

Phishing protections

SQRL has some design-inherent and intentional phishing defenses, [6] but it is mainly intended to be for authentication, not anti-phishing, despite having some anti-phishing properties. [7]

Example use case

For the protocol to be used on a website, two components are necessary: an implementation, that is part of the web service to which the implementation authenticates, which displays a QR code or specially crafted URL according to the specifications of the protocol, and a browser plugin or a mobile application, which can read this code in order to provide secure authentication.

The SQRL client uses one-way functions and the user's single master password to decrypt a secret master key, from which it generates – in combination with the site domain name and optionally an additional sub-site identifier: e.g., example.com, or example.edu/chessclub – a (sub-)site-specific public/private key pair. It signs the transaction tokens with the private key and gives the public key to the site, so it can verify the encrypted data.

There are no "shared secrets" which a compromise of the site could expose to allow attacks on accounts at other sites. The only thing a successful attacker could get, the public key, would be limited to verifying signatures that are only used at the same site. Even though the user unlocks the master key with a single password, it never leaves the SQRL client; the individual sites do not receive any information from the SQRL process that could be used at any other site.

SQRL implementations

A number of proof-of-concept implementations have been made for various platforms.

For the server

For the client

For the browser

There are also various server-end test and debugging sites available. [22] [23]

Steve Gibson states that SQRL is "open and free, as it should be", and that the solution is "unencumbered by patents". [2] After SQRL brought a lot of attention to QR-code-based authentication mechanisms, the suggested protocol was said by blogger Michael Beiter to have been patented earlier and thus not generally available for royalty-free use. [24] [ non-primary source needed ] The patent in question (not expiring until 2030) was applied for by and granted to Spanish company GMV Soluciones Globales Internet SA (a division of the Madrid-based technology and aerospace corporation GMV Innovating Solutions), between 2008 and 2012 by the patent offices of the United States, the European Union, Spain, and Portugal. [25]

Gibson responded: "What those guys are doing as described in that patent is completely different from the way SQRL operates, so there would be no conflict between SQRL and their patent. Superficially, anything that uses a 2D code for authentication seems 'similar' ... and superficially all such solutions are. But the details matter, and the way SQRL operates is entirely different in the details." [26]

See also

Related Research Articles

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded. A SOCKS server accepts incoming client connection on TCP port 1080, as defined in RFC 1928.

<span class="mw-page-title-main">Phishing</span> Form of social engineering

Phishing is a form of social engineering and a scam where attackers deceive people into revealing sensitive information or installing malware such as viruses, worms, adware, or ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim navigates the site, and transverses any additional security boundaries with the victim. As of 2020, it is the most common type of cybercrime, with the FBI's Internet Crime Complaint Center reporting more incidents of phishing than any other type of cybercrime.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.


Java Authentication and Authorization Service, or JAAS, pronounced "Jazz", is the Java implementation of the standard Pluggable Authentication Module (PAM) information security framework. JAAS was introduced as an extension library to the Java Platform, Standard Edition 1.3 and was integrated in version 1.4.

<span class="mw-page-title-main">Steve Gibson (computer programmer)</span> Computer enthusiast, software engineer and security researcher

Steven M. Gibson is an American software engineer, security researcher, and IT security proponent. In the early 1980s, he worked on light pen technology for use with Apple and Atari systems, and in 1985, founded Gibson Research Corporation, best known for its SpinRite software. He is also known for his work on the Security Now podcast.

<span class="mw-page-title-main">One-time password</span> Password that can only be used once

A one-time password (OTP), also known as a one-time PIN, one-time passcode, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

The Secure Remote Password protocol (SRP) is an augmented password-authenticated key exchange (PAKE) protocol, specifically designed to work around existing patents.

Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and is updated by RFC 5247. EAP is an authentication framework for providing the transport and usage of material and parameters generated by EAP methods. There are many methods defined by RFCs, and a number of vendor-specific methods and new proposals exist. EAP is not a wire protocol; instead it only defines the information from the interface and the formats. Each protocol that uses EAP defines a way to encapsulate by the user EAP messages within that protocol's messages.

<span class="mw-page-title-main">OpenID</span> Open and decentralized authentication protocol standard

OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites using a third-party identity provider (IDP) service, eliminating the need for webmasters to provide their own ad hoc login systems, and allowing users to log in to multiple unrelated websites without having to have a separate identity and password for each. Users create accounts by selecting an OpenID identity provider, and then use those accounts to sign on to any website that accepts OpenID authentication. Several large organizations either issue or accept OpenIDs on their websites.

3-D Secure is a protocol designed to be an additional security layer for online credit and debit card transactions. The name refers to the "three domains" which interact using the protocol: the merchant/acquirer domain, the issuer domain, and the interoperability domain.

OAuth is an open standard for access delegation, commonly used as a way for internet users to grant websites or applications access to their information on other websites but without giving them the passwords. This mechanism is used by companies such as Amazon, Google, Meta Platforms, Microsoft, and Twitter to permit users to share information about their accounts with third-party applications or websites.

<span class="mw-page-title-main">Multi-factor authentication</span> Method of computer access control

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

<span class="mw-page-title-main">Google Authenticator</span> Two-step verification app

Google Authenticator is a software-based authenticator by Google. It implements multi-factor authentication services using the time-based one-time password and HMAC-based one-time password, for authenticating users of software applications.

Rublon is a multi-factor authentication platform that offers an extra layer of security for users logging into networks, servers, endpoints, and desktop, cloud, web and mobile applications. Rublon MFA secures remote access and local logins using hardware and software authenticators, including the Rublon Authenticator mobile app, which holds the digital identity of the account owner. Numerous Rublon MFA connectors allow strong authentication to be implemented for all or selected users. Individually configurable security policies allow customizing Rublon MFA to suit the organization’s needs. Rublon's multi-factor authentication platform helps protect enterprise data and achieve regulatory compliance.

SlickLogin was an Israeli start-up company that developed sound-based password alternatives. The company's goal was to enable end users to log in easily to password-protected websites by using a uniquely generated sound.

<span class="mw-page-title-main">YubiKey</span> Hardware authentication device by Yubico

The YubiKey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services that supports one-time passwords (OTP), public-key cryptography, authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols developed by the FIDO Alliance. It allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device. YubiKey also allows storing static passwords for use at sites that do not support one-time passwords. Google, Amazon, Microsoft, Twitter, and Facebook use YubiKey devices to secure employee accounts as well as end-user accounts. Some password managers support YubiKey. Yubico also manufactures the Security Key, a similar lower-cost device with only FIDO2/WebAuthn and FIDO/U2F support.

Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords, and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number of previously discovered credential pairs using standard web automation tools such as Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet.

Wire is an encrypted communication and collaboration app created by Wire Swiss. It is available for iOS, Android, Windows, macOS, Linux, and web browsers such as Firefox. Wire offers a collaboration suite featuring messenger, voice calls, video calls, conference calls, file-sharing, and external collaboration – all protected by a secure end-to-end-encryption. Wire offers three solutions built on its security technology: Wire Pro – which offers Wire's collaboration feature for businesses, Wire Enterprise – includes Wire Pro capabilities with added features for large-scale or regulated organizations, and Wire Red – the on-demand crisis collaboration suite. They also offer Wire Personal, which is a secure messaging app for personal use.

Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography. WebAuthn credentials that are available across multiple devices are commonly referred to as passkeys.

<span class="mw-page-title-main">Bitwarden</span> Open-source password manager

Bitwarden is a freemium open-source password management service that is used to store sensitive information, such as website credentials, in an encrypted vault. The platform hosts multiple client applications, including a web interface, desktop applications, browser extensions, mobile apps, and a command-line interface. The platform offers a free US or European cloud-hosted service as well as the ability to self-host.

References

  1. "SQRL Translations". CrowdIn.com. Retrieved July 16, 2015.
  2. 1 2 3 4 Gibson, Steve (2020). "Secure Quick Reliable Login: A highly secure, comprehensive, easy-to-use replacement for usernames, passwords, reminders, one-time-code authenticators ... and everything else". GRC.com. Gibson Research Corporation. Retrieved March 7, 2021. Open & free, as it should be: The component techniques and technologies employed by this solution are all well known, well tested, well understood, unencumbered by patents, and exist in the public domain. ... With this publication of every detail, I hereby release and disclaim any and all proprietary rights to any new ideas developed and presented herein. This work is thereby added to the public domain.
  3. Gibson, Steve (October 9, 2013). "SQRL Q&A #176 (Transcript)". Security Now!. Gibson Research Corporation. Retrieved October 16, 2013 via GRC.com.
  4. Maddox, Ian; Moschetto, Kyle (2019). "Modern Password Security for System Designers" (PDF). Cloud.Google.com . Retrieved March 7, 2021.
  5. Babioch, Karol (May 15, 2014). Kittel, Thomas (ed.). Security Analysis and Implementation of the SQRL Authentication Scheme (BSc). IT Security, Department of Informatics, Technical University of Munich. Archived from the original on March 5, 2016. Retrieved March 18, 2015. English-language abstract; full text of original German paper, "Sicherheitsanalyse und Implementierung des Authentifikationsverfahrens SQRL", does not appear to be available.
  6. Gibson, Steve (2014). "Revolutionizing Website Login and Authentication with SQRL". DigiCert Security Summit. Retrieved March 7, 2021 via Vimeo.
  7. Gibson, Steve (December 6, 201). "How SQRL Can Thwart Phishing Attacks". GRC.com. Gibson Research Corporation. Retrieved March 7, 2021.
  8. 1 2 "jestin/SqrlNet". April 9, 2020 via GitHub.
  9. "TechLiam/SQRL-For-Dot-Net-Standard". November 1, 2020 via GitHub.
  10. "Secure QR Login". Drupal.org. October 4, 2013.
  11. Loader, Ryan (2021-04-29), SQRL , retrieved 2022-10-30
  12. "trianglman/sqrl". January 9, 2021 via GitHub.
  13. Pinkney, Brian (2022-06-15), pySQRL , retrieved 2022-10-30
  14. Persson, Daniël. "SQRL Login – WordPress plugin | WordPress.org".
  15. "geir54/android-sqrl". January 25, 2021 via GitHub.
  16. Sylvester, Paul (December 25, 2014). "SQRL implementations on Android and it works!". Paul's Tech Talk. Archived from the original on April 2, 2015. Retrieved March 17, 2015.
  17. "Archived copy". Archived from the original on 2015-02-16. Retrieved 2015-03-17.{{cite web}}: CS1 maint: archived copy as title (link)
  18. Stidard, James (2022-06-22), Stash iOS , retrieved 2022-10-30
  19. "TheBigS/SQRL · GitHub". GitHub . Archived from the original on 2015-03-17. Retrieved 2015-03-17.
  20. "bushxnyc/sqrl". September 2, 2020 via GitHub.
  21. "SQRL – Get this Extension for 🦊 Firefox (en-US)". addons.mozilla.org. Retrieved 2022-10-30.
  22. "GRC | SQRL Secure Quick Reliable Login Demonstration". www.grc.com.
  23. "GRC | SQRL Secure Quick Reliable Login Diagnostic". www.grc.com.
  24. Beiter, Michael (October 4, 2013). "Steve Gibson's SQRL Is Not Really New" . Retrieved May 12, 2014.
  25. USpatent 8261089,Leon Cobos, Juan Jesús&Celis de la Hoz, Pedro,"Method and system for authenticating a user by means of a mobile device",issued September 4, 2012, assigned to GMV Soluciones Globales Internet SA
  26. Gibson, Steve (2020). "Other Work Related to QR Code Login". GRC.com. Gibson Research Corporation. Retrieved 22 September 2015.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.