How SQRL may improve the website login and authentication process
If you want to sign in on a website on today's Internet, you have to supply a username and password to do so. It does not really matter if you type the login details in manually, or if you are using a password manager to do that for you.
One of the problems associated with the authentication process is that the data is not linked to a specific person. If someone else gets hold of your username and password, they will be able to log in on most Internet sites without problems.
The solution that most companies seem to favor right now is to add a second layer of authentication to the process. This is called two-factor authentication, and involves the realtime generation of a code that you need to enter as a second login step before access is granted.
SQRL (pronounced squirrel) is a new website login and authentication technology by Gibson Research Corporation. Websites that support SQRL displays a QR code on the login page that contains the website url and a long random number.
The user scans the code using the SQRL app, program or extension. The site url is displayed to the user before any other actions are taken. Without confirmation, everything stops right here.
The application produces a unique site-specific public key pair using the information and signs the URL of the site using the site-specific private key.
It then uses a secure HTTPS Post query to the site the user wants to sign in on providing it with the generated site-specific public key and the cryptographic signature.
The site uses the cryptographic signature and the site-specific public key to verify that the signature is valid for the url. This verifies that the user used the private key of the key pair to sign the url of the web service.
You may have noticed that there is no entering of usernames and passwords, or account creations involved. While it is certainly possible that websites may provide new users with opportunities to create a profile, it is by no means required to sign in using SQRL.
Other benefits of the new technology are that SQRL IDs are site-specific, which means that it is no longer possible to link a users account or login to multiple web properties. A login will only work on one site, and no other site.
Visitors are identified by their public key, a 256-bit number that is presented to a website every time it is visited. What is interesting here is that websites can identify users without knowing anything about them.
A basic example where this may come in handy is posting comments on sites. Instead of having to register an account first on many sites, users could simply use SQRL for identification to post comments on those sites.
The web server the website is hosted on only stores the public key of users using SQRL. If a server gets hacked, that is all hackers get (plus other information that users may be required to add after the first authentication).Â Hackers cannot use the public key for anything, as they need access to the private key as well, which the website does not have access to either.
And since there is no keyboard input during the whole process, it takes care of all keyloggers and other recording applications that may be running on a computer system.
Last but not least, it is also a decentralized authentication option. The application you use is the key, and it runs only on your smartphone or your computer.Â There is no third party involvement whatsoever, and the algorithm used is NSA & NIST-free.
The official SQRL website offers additional details (lots of them) about the technology. If you are interested in digging deeper, this is a good place to start.Advertisement