SQRL provides secure pseudonymous identity online. It has many properties that make it significantly superior to usernames, passwords and all other forms of identity establishment. Rather than another second "factor" for identity, SQRL provides a secure single factor. It can peacefully coexist alongside usernames and passwords, OAuth, FIDO, TOTP tokens, or any other system. But it is truly superior to them all and it is hoped that it might eventually replace everything else. SQRL's design is 100% open, free, unencumbered by any intellectual property rights, and it is ready for the world.
In 1970, while in high school, Steve fell in love with programming in assembly language on a 12-bit 4K DEC PDP-8 minicomputer. He's never stopped programming. Although many products bear his mark, the appearance of the Internet and its clear need for security caused him to create "ShieldsUP!", the free online service to allow users to check their machines for open ports, and a large variety of popular security-oriented freeware. 14 years ago, Leo Laporte asked Steve if he would consider producing a weekly podcast on the topic of security.
Steve named it "Security Now!" and 14 years later that podcast has roughly 250,000 weekly listeners. Five years ago, the core concept for SQRL occurred to him during breakfast... and he's here to show us the result of five years of work.
Top comments (4)
You're the guy the wrote the Android app, eh?
I've watched the entire talk, super interesting ideas in there. However, there's one really important aspect I don't really understand. Not sure if I missed it or if Steve glossed over it.
How do you revoke auth?
Suppose my identity is stolen (theft takes my phone, malware steals the file), how can websites know not to trust the stolen auth?
Hi Ryan.
Thank you for this excellent question. It might have been a bit much to talk about all the details of the protocol on stage.
Yes, I'm one of the developers of the Android application. I did the prototype, and probably most of the work, but I have great help with some contributors.
Revocation is very similar to a username and password revocation. If you have the original login, you can regain your access and trust without any email chain.
What we do, built into the protocol, is that you rekey your identity, so you have a new identity. This operation could only be done with your super-secret rescue code. Then you visit the sites that you want to revoke your identity. The applications will then give the site both the old identity and the new one so it will change your identity to the new one. This can only be done if you are the owner of the rescue code, which makes it safe.
Another scenario that Steve might not have mentioned. You travel abroad with your identity, and you need to give the officials your phone. They might have copied your identity and you don't want them to access a specific site.
Then you can visit that site with your identity and just by supplying your regular identity and a lock command. This will lock access to that site until you are safe at home with your rescue code, and can unlock access to the site again.
Similar, is there a provision that you may not remove your key from a site without supplying your rescue code.
So this rescue code is very useful for the cases where your identity is stolen.
I hope this clears up some confusion, and if you have any questions, then don't hesitate to ask.
For even more information everything should be documented at grc.com/sqrl/sqrl.htm
Best regards
Daniel
Yay sqrl! 🐿️
Maybe I should help write a node wrapper so people can
npm install sqrl...Oh neat, here's a package for it!