For several months now Steve Gibson of GRC.com and Security Now has been working on a new authentication protocol he named SQRL, the Secure Quick Reliable Login. On his web site he describes what happens when you log into a site, say Amazon, using SQRL (assuming Amazon adopted it).
The website displays a QR code, described as a “SQRL code,” beside the usual userid and password login prompt.
- The user can tap or click directly on the SQRL code to login, or launch their smartphone’s SQRL app, and scan the QR code.
- For verification, SQRL displays the domain name contained in the SQRL code.
- After verifying the domain, the user permits the SQRL app to authenticate their identity.
- Leaving the login information blank, the user clicks the “Log in” button… and is logged in.
The approach is highly secure, difficult to attack, easy to implement, and easy to use. He describes details at his site.
This is an elegant solution to the problems that come from dealing with passwords and I hope it continues to climb since it’s taken off!
SQRL at GRC.com
Security Now
Episode 424 on SQRL
Sqrl.pl Illustrated Guide