Thanks. I’ll stop playing in the murky corners now 
1 Like
I associated my account, and it worked as expected. Now I gotta go log out and try it. This is gonna be sweet though!
EDIT: And it worked great! Thanks for your hard work on this Jose! 
2 Likes
I am not seeing the Associated Accounts in my preferences. I have two-factor enabled, so that may be blocking it?
Yeah 2 Factor doesn’t allow 3rd Party Auth
Folks, I love Steve and SQRL is a very clever solution but please use 2FA on this site. Even if that means SQRL is unusable.
Do y’all consider SQRL more secure than password + 2FA?
I disabled two-factor and got SQRL working.
After all these years of listening to Steve talk about it, I finally get to use it in the wild. 
A singe point of failure, however obscure, is still a single point of failure.
I guess you could argue that as long as you protect your private key you’re safe. And if you have a passcode or biometric unlock on your phone then you are using 2FA.
Just make sure you lock down your secret code. I put mine in Lastpass - which means it’s no more safe than a password if LastPass gets breached. If I had a wall vault well then maybe.
With 2FA someone would have to breach my LastPass and get my phone.
It’s an interesting question. I’m open to your thoughts. It makes me nervous to just have SQRL on this site, especially as I’m the admin. Am I wrong?
2 Likes
If the SQRLOauth site goes down, then I guess we can’t login.
More reliable would be a native SQRL authentication on this site.
Yeah we’re trusting @josecgomez to keep his site up. Although if you have a password login you could still get in but then you’re vulnerable because you don’t have 2FA.
This site is hosted by the Discourse folks, so I can’t put an Oauth server on it. I never turned on the other Oauth choices: Google, Facebook, LinkedIn. Would people like to log in that way? I’m kind of adverse to the idea. Good old password + 2fa is perfectly convenient once you get in, and perfectly private and secure. I don’t see the need for anything else.
Anyone want to take any bets on how many people use SQRL on here now that it’s available?
1 Like
Agreed 2FA is always good
This is a shortcoming of discourse not SQRL for some reason they don’t allow both in discourse.
I’ll put in a request with codinghorror to see if they can add 2FA flow with oauth
And yes the SQRL use will be minimal (everywhere unless it takes off)
I love the concept enough to write code for it however there is a LOT of user education required for this to go anywhere beyond here!
I hope it does but I also think it can be simplified a lot (Steve disagrees but that whole rescue code bit is A LOT to ask of a normal user)
PS: Ill keep the site up indefinetly but if you @Leo want to run your own on a hosted server I can also help you get that going if you want to also run yet another sever lol
3 Likes
I was hoping that SQRL would one day obsolete all the other 3rd party logins, especially Facebook. The less I depend on Facebook, the better.
1 Like
As a middle ground I will add 2FA support to SQRLOAuth
2 Likes
I think using SQRL is a form of two factor already. You have to have the SQRL identity AND the user’s password to unlock it (or their recovery code, but if you follow Steve’s stated advice that will be printed on paper and kept completely offline.)
3 Likes
I agree, you need your local SQRL ID and your password in order to use SQRL on the host site. That is automatic two factor on your local machine.
I think @Leo should clear that up with Steve on the next Security Now.
2 Likes
Ooh I will be trying this ASAP thanks for implementing.
1 Like
Setting up SQRL for TWiT.community was painless. Setting up SQRL Wordpress plugin was painless. Ironically, I cannot get SQRL account working on sqrl.grc.com. The iOS client crashes and offers an option to Share crash report which has yet to yield any response.
The Android client was just crashing at the OAuth site this morning. 
Hmmm I have used the IOS Client, Steves Client and the Web Extension just fine
I don’t have an android phone to test the Android Client…
I’ll see what I can do but I suspect if the other 3 clients work fine then it may be an issue with the android version.
Can you try Steves client there?