Logged in with SQRL

Well I’m here, logged in with SQRL. I didn’t even bother remembering the password I was forced to create in 1Password.

The account setup process via OAuth isn’t quite as good as the one on my Wordpress blog with the plugin, but it does work!

BrianOfLondon

5 Likes

I would counter by saying the TWiT.community SQRL login and Wordpress plugin experiences have been equally painless. Now I just need to jump through hoops and combine my TWiT.community user accounts which is an awkward requirement.

Oooh awesome. I need to go back and look into this as it is so promising.

Doesn’t it seem like more work to login using SQRL than with password manager?

  1. Pick up iphone
  2. Tap screen to wake
  3. Swipe up
  4. Tap to launch SQRL client
  5. Tap Scan SQRL QR code

or just click LastPass icon and autofill username/password

3 Likes

The website can’t release anything about me. That’s the bit I like.

@brianoflondon please elaborate? A website knows who you are when using SQRL ID.

I logged in with SQRL as well, but I had to also use my username, password and 2FA. I guess I have to disable 2FA if I want to use SQRL.

That depends on the website. This website requests information, and if you use Oauth, it will get some of that information via the Oauth protocol, but these are all choices. SQRL is fundamentally about authenticating that the same identity (normally a person, but robots exist) that joined at the beginning returns time after time. It is simply a means to prove “oh hi, it’s me again.” What information the site gets is your IP address, and nothing more, unless you give it to them (because they require it.) This is not a function of SQRL but rather a function of the site using it. In particular, the site does NOT get your password to unlock SQRL, nor indeed anything like it. They get a large 256 bit number that is your identity. (It’s technically more complicated than this, but I don’t think that is relevant for this discussion.) So if your data gets “spilled” there is nothing useful for the bad guys to steal. (Again, assuming the site doesn’t have other data that is valuable… clearly if a bank used SQRL and got hacked, they would still have useful information to lose.)

It drove me potty, it didn’t work for me the first time and I ended up creating a new account. Then deleting it.

My problem was the 2-factor authentication, I forgot to disable that first… Then it worked perfectly.

2 Likes

What would raise the level of concern enough to use 2FA on this forum?

I think people who are comfortable with enhanced security will use 2FA anywhere it is offered.

2 Likes

2FA is a habit: if it is there, I use it for everything. I’m using 1Password on my Mac and iPhone and it handles the whole thing very easily.

2 Likes

I agree with you for those of us using password managers, however, for the vast majority who don’t use a password manager, if SQRL were to become their log in method for most things, they would be infinitely more secure. The website would be holding NOTHING of value that could leak, there would be no issues with re-use of passwords.

Guess I need to explore 1Password more. I use LastPass for Families. Apparently they offer MFA for Business but don’t see that option for Families.

Again, apparently my understanding is lacking. I just do not see websites allowing users authentication with SQRL only. How would the website offer services or products to someone using SQRL ID only? Also, if someone only has a mobile phone, how do they use SQRL to login?

You can download the SQRL Apps

1 Like

I use LastPass Families with MFA. I have 3 Yubikey on my account, 2 on my wife’s account and one of my son-in-laws also has a Yubikey. I also use the token generator.

As to SQRL, why not? It only affects the login process, it doesn’t stop you giving your name and address and payment details on the platform, after you have logged on to the site with SQRL.

But how do you use the SQRL Apps to login if all you have is a mobile phone?

@big_D are you just using MFA to get into your LastPass vault? How do you use LastPass to manage MFA on a website that only supports SMS?

@big_D soon as you add your name, address, and payment details, you defeat the idea of a website holding nothing of value that could leak.