Why Passwords Suck
Usernames and Passwords are not secure by nature. This is a control that relies on “Something you know”. Knowledge is easily transferable and therefore passwords are not secure.
No amount of security training will eliminate or overcome human nature. It is human nature to make passwords that are easily remembered. Passwords that are easily remembered are also easily guessed. Passwords are also used over and over again on multiple accounts – bank accounts, email accounts, work accounts, etc.
Worse yet, passwords are openly shared among trusted individuals like family members. That shared Netflix account email and password can, in some cases, also access many other accounts that the user has.
Therefore, Two Factor Authentication became necessary
By combining Passwords with Bio-metrics (Something you are) or a Smart Card (Something you have) the authentication is much more secure.
Requiring a one time password from a RSA token or smart phone soft token along with a password is now the norm for signing into corporate systems. You have to know the password and also have to possess the device in order to sign in securely.
Bio-metrics, like the use of a fingerprint reader or retina scan is less common but also very effective when combined with the need for a password.
The need for two factor authentication just reiterates that passwords suck.
There must be something better. There is.
SQRL (Squirrel) will destroy the need for Logins and Passwords
SQRL stands for “Secure Quick Reliable Login”. SQRL is the brainchild of one of the superstars in cyber security, Steve Gibson. Steve Gibson runs the Security Now podcast, is the author of many cyber security books, and is one of my favorite people in the cyber security space.
Steve and his team have been developing SQRL since the inception of the idea in 2013. This protocol/method is still under development but it appears that it is near ready for prime time. You can demo SQRL at Gibson Research.
The cool thing about SQRL is that it is completely free and open and it will always be that way. Steve Gibson created SQRL to fill a need and not to make money. Thousands of hours of development and research were “donated” for the good of of the cyber world – very noble thing indeed!
Here is the login page for the SQRL demo:
To make this work you will have a SQRL app on your phone. This app would contain a private key.
The QR code (like in the above image) contains the url and the domain of the site that you are trying to connect to. By scanning the QR code you are creating a public/private key pair by using a hashing function (HMAC) with your master key and the domain name of the site.
Your phone app would then transmit your public key to the site as your identity. The encrypted QR code is transmitted to authenticate you.
Your public key takes the place of your username. The encrypted QR code takes the place of your password.
Your public key is a constant – it does not change. So, the website you are accessing will always know that it is you.
Because the QR code is encrypted with your private key the website can verify that you posses the matching private key without having knowledge of the private key itself.
The SQRL process is both simple and brilliant.
Steve Gibson’s process drawing shows the steps:
The Amazing Advantages
SQRL is Ridiculously Easy to Use
One of the best things about this system is that it allows you to authenticate at a website very quickly with little effort. The user will not have to create a website account by typing in their email address and creating a password. That process is eliminated.
After you set up SQRL, when you want to create an account at a blog or any website it is as simple as clicking on the SQRL emblem. One step and you are done. This is very easy. People call this “frictionless”.
SQRL is Simple
While SQRL is ingenious, it is also very simple. This is important because simplicity means that there is not a lot that can go wrong. Because it it so simple it is unlikely that there will need to be bug fixes.
SQRL is Very Secure
You should never see SQRL being the cause of any data losses due to hacking or social engineering. The very nature of SQRL makes it secure. A breach would mean that a hacker would have obtained the public keys of the users.
But nobody really should care if their public key is exposed.
Your public key is, as the name implies, public. The hacker would not be able to impersonate the users because the users’ private key remains private.
SQRL is better then using Facebook or Google to create a login.
Using Facebook and Google to create logins for websites is very easy but has a much higher security risk. Using this method makes you rely on a third party website for authentication. When the third party website gets compromised then every login that you have is compromised. This is definitely not an ideal situation when it comes to security.
How Will SQRL Unfold?
Right now there are relatively few people who know about SQRL, how it works, and the advantages of it. Only security geeks (like myself), and fans of Steve Gibson (also like myself) have a good knowledge of how SQRL works and the power of it.
I expect that Steve and the team will finish developing SQRL and it will be launched. The roll out will be very slow as only us security folks will jump on it. But, as it is demonstrated and its power is revealed SQRL will begin gaining traction and press. The folks at TechCrunch will do a story for sure.
Soon, SQRL will take over the web as the security standard for websites. You will be hard pressed to find a WordPress site that is not using SQRL. If your site is not using SQRL then you will be at a disadvantage.
I see SQRL as the future. Let’s see if it unfolds the way I see it.