I came across SQRL from listening to the Security Now podcast on the TWIT podcast network. When I heard about it, I immediately thought, “I want that!” I’m not sure if it will eventually catch on or not, but there are aspects to SQRL that I find appealing.
You can find details about the proposed SQRL authentication spec on the creator’s page or in the podcast where he announced it.
I recently came across an illustrated guide to SQRL that might help with understanding some of the more gnarly bits.
From the SQRL page on GRC.com:
Wishing to login to an online service where an “SQRL” code appears nearby:
- The user can tap or click directly on the SQRL code to login,
- or launch their smartphone’s SQRL app, and scan the QR code.
- For verification, SQRL displays the domain name contained in the SQRL code.
- After verifying the domain, the user permits the SQRL app to authenticate their identity.
- Leaving the login information blank, the user clicks the “Log in” button… and is logged in.
Behind the scenes:
The website’s login presents a QR code containing the URL of its authentication service, plus a nonce. The user’s smartphone signs the login URL
using a private key derived from its master secret and the URL’s domain name. The Smartphone sends the matching public key to identify the user,
and the signature to authenticate it.
Yeah. So the quotes above are probably not adequately explaining why I’m excited by the possibilities of SQRL. It seems like a simpler way to login, and I like that it doesn’t require you to trust a third party. Clicky the links or listen to the podcast to learn more.