SQRL Revolutionizing Web Site Login And Authentication

Keeping your identity safe online can be difficult in many ways. There are different techniques hackers can use to get at your passwords, from malware already on your system, to psychologically manipulating you into performing actions, divulging confidential information or by exhaustive effort of trial and error guessing, rather than employing intellectual strategies.

This security sinkhole is only the start of the problem though, because even if you come up with an extremely complex password that has no personal information tied to it, using it across separate services and websites ties your identity together anyway. Therefore, there is little advantage to be had using just one superior password across many websites.

Today there are many software password manager applications out there like LastPass, Roboform, and KeyPass, these apps try to help automate the same old system, which ultimately solves only a small part of the greater struggle.

Since the time of the very first mainframe computers, we’ve put up with this uncomfortable situation, unaware of a better way to make those annoying password prompts go away.

In 2013, Information Security Icon Steve Gibson proposed an open source authentication system. It promises to put an end to username and password prompts once and for all, while vastly improving privacy and security.

Dubbed the Secure Quick Reliable Login, this free and elegant solution shares many of the same traits with Bitcoin including a 256-bit Secure Hash Algorithm and CSPRNG, a Cryptographically Secure Pseudo Random Number Generator.

"A comprehensive, easy-to-use, high security replacement for usernames, passwords, reminders, one-time-code authenticators… and everything else."
— – Gibson Research Corporation

Conveniently, SQRL is a single solution for all future login prompts; you only have to memorize a master password to have access to every website and application.

The only drawback is that those websites and application must first enable SQRL logins themselves, so like Bitcoin and all other protocols, there will be an adoption curve to overcome before it is truly useful. However, the benefits to be had from doing so are quite impressive.

“Once we have established the reqOpenuired interoperability standards, people WILL create free smartphone SQRL clients—probably many. And as websites begin to offer SQRL login as a side-by-side alternative to the traditional username and password, SQRL popularity will grow.”
— – Gibson Research Corporation

One of the benefits from using SQRL is time saving. If you’ve ever been to a particular  SQRL-enabled site (or app) on your current device before, a single tap will give you instant access. If you haven’t been to that site before, you don’t have to make up a password, it’ll do it for you with one extra click, keeping track of it for you automatically.

Privacy is one area where SQRL really shines; every password it creates for you is truly unique and cannot be linked back to you at all, unless they require other information like a real name. Every attempt to log into a site has a uniquely-generated password that won’t work  anywhere else nor without your master login first. This system favors Bitcoin’s Pseudonymous structure and uses the same technology to accomplish identity. In this way, your identity is safe even on public computers with keyloggers or malware installed.

The level of security SQRL employs is truly ground breaking. Not only is the password you send to a website or app a 256-bit, dynamically generated password, making it extremely difficult to steal or attempt a brute-force attack, the website or app that you are logging into at the same time checks to see if you are indeed at their site and not a spoofed website… So SQRL also puts an end to phishing attacks too.

First-time setup is painless as well. When you, as a user, first download the SQRL application, you have to go through the 1-time process of making your master identity and then backing it up. They help you pick a passphrase that you can remember and it will be the only one you use to log into every SQRL-enabled site ever afterwards.

In case you ever forget your master password or want to change it for some reason, or steal your identity back from some kind of successful hack, there is an included ‘identity unlock key’ that you should print out and back up too. Much like a bitcoin paper wallet with your private key viewable, this is the thing you must keep hidden and safe above all else. Of course if all goes well, you’ll never have to use it, not even once.

Cryptographers will be pleasantly surprised, as they were with Bitcoin, of how simple and elegant the solution is behind SQRL. Using a bitcoin-like keypair, it solves many authentication problems in such an efficient manner that it can seem like magic to watch, yet at the same time is far stronger protection than the cryptography that banking websites use today.

“The website’s login presents a QR code containing the URL of its authentication service, plus a nonce. The user’s smartphone signs the login URL using a private key derived from its master secret and the URL’s domain name. The Smartphone sends the matching public key to identify the user, and the signature to authenticate it.”
— – Gibson Research Corporation

Using a QR code to gain access to an application or website is not the unique part of SQRL. In fact, there are other password login systems that do so, like the new website login to Whatsapp. While this looks similar to SQRL in practice, it is just a shortcut to fill in the username and password field, and offers none of the security improvements nor does it work with other websites.

We may see more of these single website QR-code authentication shortcuts before SQRL takes off, but as users adopt the SQRL system they’ll be some of the easiest websites to convert since their customers will already be acclimated to using QR codes to log in.

Perhaps SQRL’s closest competition is Clef, a smartphone-based authentication app also based upon public-key cryptography. The major difference between them is that Clef is a for-profit company, not an open-source protocol. Although the Clef login icon is a pretty, animated image instead of a QR code, their service primarily allows for 2-factor authentication, not the entire crypto security protection that SQRL is based upon.

A few Bitcoin services are already using Clef authentication, including Bitcoin exchange software provider AlphaPoint and payment provider Bitspark. It will be interesting to see if Clef gains more ground before SQRL becomes widely adopted.

All SQRL needs now is a good public awareness campaign. This is where Bitcoin developers can come to the rescue by adding it to their websites and apps. Since the technologies are so similar, it would be almost trivial for many developers to use SQRL as an extra way to gain access to their offering, and for bitcoin wallet users it would be equally simple to use the SQRL app on their smartphones and desktop PCs.