Logged in with SQRL

I use MFA on LastPass to protect my /out vaults.

If the destination only uses SMS, nothing can make the site secure and a password vault won’t be of any help with MFA.

Likewise, if you use LastPass or another password vault to store the MFA secrets, you are weakening your security. I print out the QRCodes and the one time passwords and store them in my safe.

In the unlikely event that someone breaks into the vault, they then have your username, password and the key to the MFA. That is putting all your eggs into one basket.

What do you mean? The same as the grc client you click on the link and it brings up the client

@big_D I understand the eggs/basket thing, but remain puzzled about @brianoflondon comment
2FA is a habit: if it is there, I use it for everything. I’m using 1Password on my Mac and iPhone and it handles the whole thing very easily.

It depends on the site. Using SQRL would make logging into Amazon more secure, but you still need to tell them where to deliver your purchases.

SQRL is about increased security for living into sites, especially as every site has a unique key, which even if leaked, only helps the addressable to know your ID on the one site, but without your private key they still can’t log on.

For sites where additional information is not necessary for the account, it also increases privacy, as there is no feedback loop with names of email addresses. It is up to the user how much information they want to give the destination, just their SQRL ID or also additional information to make the site more useful.

Like this @sawgrass

https://youtu.be/rYg3Jnl9GCY

@josecgomez on an iPhone? I’m obviously still missing something. If all I had was an iPhone, navigated to https://sqrl.grc.com using Safari, how would I login with SQRL?

I’m assuming he uses a 1password token generator as well and it is somehow integrated into 1password. That isn’t something I would be comfortable doing, as it weakens the security.

LastPass offers its authenticator as well and will store the key in LastPass, but I wouldn’t do that, personally. But I work in IT and specialise in security, so I go the whole 9 yards, when it comes to doing security properly.

You click on the SQRL icon on the login page and it should start the SQRL app on your phone, which will then handle the authentication.

@josecgomez is that video using an Android device? I don’t seem to have same experience on iPhone.

No it’s on an iPhone

You do have to switch back once the authentication is done
But it works fine

@josecgomez I open twit.community in Safari, click Login, click with SQRL, the sqrloauth.com page launches with QRcode, I tap the QRcode and am prompted to Open in “sqrl” then see message at bottom of screen, you are authenticated to sqrlOauth.com however I am then only seeing EditUserInfo screen. Not taking back to twit.community like your video shows.

Ok that means that the identity in your phone is new or looks new to the site .
Meaning it doesn’t match the one in twit
So it’s creating a new sqrl account from you and asking you to update the details

@josecgomez but I can use my phone to scan QRcode displayed when using MacBook Air and all works fine.

Hmm that’s strange very strange

create account can be skipped? email necessary
just sqrl login worked for me Regards

1 Like

@josecgomez here is what I see on my wife’s iphone which does not have the SQRL client. Is this the behavior to expect when tapping on the SQRL logo / QRcode?

I’m confused. I wanted to change my account to use SQRL. I went my preference page and tried "Associated Accounts OAuth 2 pressing connect. Clicking on the SQLR logo and logging in via SQRL,
a get a partially filled in setup page with someone elses identity.
What I wanted just to update my login method.

The TWiT community is using OAuth. if you think about how OAuth would be used outside of SQRL, it would normally be used with the “login with Google” or “login with FaceBroke” buttons. (Sorry, I have so little respect for the face site that I will not use its proper name.) These sites already have information about you that you authorize them to share with the site you are using them with.

In the case of the SQRL version, there is no existing account for you on sqrloauth.com. So when you show up for the first time, it offers to create one for you, and fills it out with “imaginary” information for you. This is part of the “promise” that you can be more anonymous with SQRL if you want. You can edit this information to be “real” if you want.

2 Likes

@PHolder so how do I login to twit.community using only my iphone, Safari, and my SQRL ID?