On October 2, 2013, Steve Gibson of Gibson Research Corporation announced a proposal that for some people could mean an internet experience free of user names and passwords.
Secure Quick Reliable Logon (SQRL) – pronounced squirrel – is a framework for using Quick Response (QR) codes as a standard vehicle for securely communicating login credentials online. The proposal as outlined has the potential to eliminate the need for many people to continue using logon names and passwords as they surf the internet.
Readers please note my liberal use of “could” and “might” rather than “will” in this column because this proposal is only under consideration and no standards are yet finalized. The idea really has captured the attention of web site developers and security experts such that the idea has gained much momentum in the few short weeks since it was unveiled.
Imagine this scenario: While surfing the internet you open a web site requiring a login using your name and password. You could simply point your smart phone to the QR code on the page, snap, and immediately your phone sends the web site your username and password and you are securely logged in to the web site. If you do not have an account with this site, your smart phone could set up one for you by making up a username and unique password. Best of all, the proposed system could work with any individual computer, smart phone, tablet or many other personal computing devices.
So how does SQRL work? Like any system using public key cryptography the technology is quite complex, but in simple terms it works like this: Your computer, smart phone or other device would contain a secret password known only to you. The QR code on the web site you want to enter would contain their unique domain name. When you scan that code, SQRL could scramble your unique password with the web site’s unique address to produce the logon credentials (your name and password) needed for you to access that site. My use of the verb “scramble” was intentional, because everyone knows you cannot un-scramble an egg and the passwords created by SQRL cannot be reverse-engineered.The SQRL proposal answers several of the most important aspects of online authentication and does so in a way to make the user experience as seamless as could be imagined.
Unique passwords: How many times have you heard it said that you should use a different password for every web site? The SQRL system does this and can also provide a level of anonymity.
Privacy: SQRL is a two-party system with no third-party such as Google or Facebook involved in tracking your online activities. This might be an area where adopting SQRL could face resistance from those companies that want to be able to continue monitoring your every movement.
Security: Admittedly, a careless user could still lose their SQRL credentials just as easily as they could lose that book in which they write down all their passwords. There is one improvement here because the SQRL proposal includes a framework for a standardized system that could allow users to more easily change their many passwords if they need to do so.
This 600-word overview is necessarily brief. If you want more information you may find the 4,000-word proposal at grc.com/sqrl/sqrl.htm. The proposed SQRL system is now being considered by the various organizations that approve the standards for the internet. In the months to come we can hope to see SQRL adopted by web sites and if that comes to pass then we will all be able to navigate the internet with much less friction than in the past.
Occasional Reporter contributor Charles Miller is a freelance computer consultant with more than 20 years IT experience and a Texan with a lifetime love for Mexico. The opinions expressed are his own. He may be contacted through his web site at SMAguru.com.