We are all accustomed to memorizing and entering a username and password in order to identify ourselves and to access websites and applications. For years, security researchers have been desperately searching for a method more secure than the traditional username and password standard that everyone is used to. The traditional authentication methods many of us use today are not secure, nor intuitive. Passwords can be stolen in multiple ways - by a man-in-the-middle attack, keyloggers, brute force attacks, and by other methods. People often re-use the same password for multiple sites, or document many passwords in a list, which can then be compromised.
While methods such as two-factor authentication make passwords more secure, many users get annoyed by the extra step and refuse to do it. Another popular authentication method is to log in using a 3rd party system, such as by using your Facebook, Microsoft or Google login credentials; the issue with this method is that if any of those accounts get compromised, all of the sites you log in to with those credentials are also compromised. This leads us to an up-and-coming new authentication method: Secure QR Login (SQRL).
What is SQRL & How Does it Work?
Imagine using only one single password for EVERY site you visit. Security expert Steve Gibson, the man who coined the term "spyware", podcast host of Security Now, and other projects such as ShieldsUP! and SpinRite, has come up with an elegant way to do this: SQRL (Secure Quick Reliable Login). First introduced in 2013, SQRL is now starting to gain traction among security experts. SQRL does not rely on a shared secret that usernames and passwords use; instead, SQRL utilizes public-key cryptography (PKC) and software on the user’s device that securely identifies the user. Users are required to remember only one password, delivering an experience similar to single sign on (SSO).
When using SQRL, users need only to provide one password to unlock their signing keys, which are stored locally on their device and never disclosed to any website. The password is verified locally on the device that stores the signing keys. To authenticate using SQRL, visitors to a website are uniquely identified by an anonymous SQRL ID, which they present every time they visit the same site. Since no two visitors have the same ID, the website can uniquely and anonymously identify every one of their visitors. While users always present the same ID to the same site, they present an entirely different ID to every other site they visit, so it is impossible to link identities across sites.
Watch the video below to see a SQRL login demonstration:
Advantages & Potential Risks of SQRL
There are many advantages to the SQRL system, which may be why it has started to gain traction in recent years. It is a simple system, which means there is less frustration for the user, and there are less chances that bugs could be introduced in the applications. Users can use a single master secret code for every site, and a password protect that code. The user would only need to remember one password, yet the authentication would be unique for each site. Even if a site gets hacked and your public key for that site is stolen, that doesn't allow attackers to impersonate you anywhere else. Another big advantage is that it doesn't rely on any third-party service. You aren't giving up control of your identity for multiple sites to Facebook or Google. It is simple for users to use and understand, and to secure.
However, not everyone is excited for this new authentication method. Using SQRL, your identity for every site resides in an app on your phone or on your desktop. That creates a major attack point, and could also be lost if not backed up. Anyone that is security-conscious would realize that and take the appropriate measures, but most casual users would not understand the risks. Another issue that has been raised is that this method doesn't solve proper man-in-the-middle attacks. If an attacker actively listens to your connection and can see the data going through, then they can do a replay attack and still get in, like they would with a username or password. But, the method still provides some protection, because there is no risk that the password may have been reused on another site. Also, since the QR code changes at every session, the public key and encrypted blob that's transmitted wouldn't be reusable later on.
Will SQRL Become the New Standard?
In the current state of technology, we can all agree that cybersecurity is critical. Government agencies, schools, hospitals, and small to large businesses alike are all targets of cybercriminals. The whole point behind third party authentication services is so Internet giants like Google and Facebook can know more about us and control more about our online experience. SQRL is great for the user, especially those who are security conscious, but it does nothing for these websites. In the end, users tend to go with what is offered to them, and right now Facebook Connect seems to be the apparent winner; but the risks associated with authentication methods of that type are numerous, as we noted above.
Gibson remains confident that SQRL will be the best authentication for security that has so far been offered. With SQRL, rather than going through the annoying process of creating an account to uniquely identify yourself to a new website, you can log in using your SQRL identity. The result is a secure and unique identity on that blog site where no one can impersonate you, and any time you return, you will be immediately and uniquely identified. No accounts are set up, and no usernames or passwords required for logging in. As a result, there’s nothing to remember or to forget. Only time will tell if SQRL will become the new standard.
