SQRL, if adopted and implemented can change our entire relationship with web sites and how we use them. SQRL is simple, elegant, and uses current technology which should create a low barrier to entry for web sites to employ. This just might be the perfect solution to the problem of usernames and passwords.
Usernames and passwords came along before the Internet and long before they became necessary to access almost anything on the Web. In a perfect world we should all have different usernames and passwords (and long ones that contain numbers and special characters for that matter) for each and every thing that requires them because if we don’t and some nefarious person gained access to that information they would then have access to all the places where you use them. But who has the memory capable of keeping unique usernames and passwords for everything? Just about no one. I was introduced to a solution that purports to get rid of usernames and passwords as we know them. It’s called SQRL (pronounced squirrel) and it stands for Secure Quick Reliable Login. I’ve read through the proposal of how this works. And, while I don’t have expertise in cryptography, I think I understand the basics and I’ll do my best to explain it as I understand it.
Unique Usernames and Passwords for Every Web Site
The SQRL system creates a unique username and password for each and every web site that employs this technology. To make it even more secure the user never needs to know their own username or password for the sites they visit. This means no longer would a person have to worry about their Facebook or Twitter account being compromised and then have to worry about all the other sites where they used the same username and password combination. It sounds like magic.
Creating a Master Key
In order for SQRL to work a person has to download an app to their phone or computer (SQRL app) and choose a master password. This password is the only one you’ll ever need and it should be a good strong unique password for this system to be effective. This password will be run through what’s called a hash function which produces what seems to be a bunch of random characters. This bunch of seemingly random characters will be called your Master Key.
Logging into a Web Site
When a person goes to a web site that uses SQRL the site will present a QR code and/or link to a web site address. Here’s an example of what you might see on a web page:
You scan this QR code with your smartphone using the SQRL app and the app will communicate with the web site separately and you would be logged in. No usernames or passwords are ever typed into any form fields. The same login method can be accomplished, if you’re at home or using a trusted computer, by installing an app or browser extension that performs the same task by clicking on the link.
How is this Done?
This QR code is just a graphical representation of the text of a link. Here’s the actual link that created the QR code above, https://www.example.com/sqrl?7b514d3f1d60e848d0b9cc024b9af0c98a92c60c04849771282a322e765f665a. If you scan the QR code with a bar code scanner app on your smart phone this is what you’ll see.
The random set of characters you see after the question mark in the link is a random number that the web site will create and this number would be unique each time anyone visits that login page.
The SQRL app will take the web site address (www.example.com), combine it with your Master Key, and run them both through a hash function to create two new keys. One that is public and one that is private. The public key ends up being your user ID and the private key temporarily stays in your SQRL app. The string of characters below is an example of what might pass as username.
a61dc96734eff25c01b332d3c0e3354270d2829533a2607321112bee5922d8ee
The great thing about hashing is that no one can take the number above and go backwards to find your Master Key. But, you can take the web site address, combine it with your Master Key, run them through a hash the same way and produce the same string of characters every time. So it’s a one way street.
In the SQRL app the string of random characters that was provided at the end of the web site’s address gets encrypted by the private key (digitally signed). This digitally signed string of data is essentially your password and it gets passed to the web site where the only thing that can decrypt it is the public key (user ID). The web site decrypts the “password” and if it returns the same exact string of random numbers then the site knows you are who you say you are.
In essence you will create a different password every time you log in to any web site because the random string of characters that the web site generates is different every time the page is refreshed. So even if someone gets a hold of your new super long user ID they cannot compromise your account unless they have the private key. The private key is not stored in your SQRL app because it can be generated every time you visit a site.
I’m sure there are many things that I don’t have exactly correct because, as I said, I’m not an expert by any means in cryptography or Internet security. But I’m pretty sure I have the basics down. SQRL is incredibly secure because users won’t know their own user IDs and passwords to any web site. User IDs are long and seemingly random. Passwords are generated on the fly and can only be created with the use of the SQRL app and the Master Key. The SQRL app can only be accessed by the user’s master password.
If there are weaknesses it’s in the user’s master password and getting web sites to implement SQRL. A person can use anything they want for their master password so their identity can be as secure or insecure as that single master password. Web sites may not want to implement SQRL because it gives the user ultimate control over their information. With SQRL a user can be as anonymous as they want because the web site doesn’t need to know anything about them personally in order to authenticate. Web sites can still require a user to set up an account that is associated with their new superlong user ID and that’s fine for sites like Amazon or other e-commerce sites. But for sites like Google, Facebook, or any social networking site SQRL can allow a user to have an account but still remain totally anonymous.
There are way more details to this than I’m able to describe and if you’re interested you can follow the links below.
This link is to the creator of SQRL: https://www.grc.com/sqrl/sqrl.htm
Here’s a simplified explanation: http://www.sqrl.pl/
A good write up by TechRepublic: http://www.techrepublic.com/blog/it-security/sqrl-a-new-method-of-authentication-with-qr-codes/
An explanation of digital signatures: http://www.youdzone.com/signature.html