Secure, Quick, Reliable Login, or SQRL (pronounced “squirrel”), is a draft open standard for anonymous and secure user identification and authentication to websites and web applications. It was proposed by its inventor Steve Gibson as an easy-to-use replacement for usernames, passwords, and MFA.
SQRL was designed to eliminate username and password authentication to remote websites.
When using SQRL, users need only to provide one password to unlock their signing keys, which are stored locally on their device and never disclosed to any website. The password is verified locally on the device that stores the signing keys.
To authenticate using SQRL, visitors to a website are uniquely identified by an anonymous SQRL ID, which they present every time they visit the same site. Since no two visitors have the same ID, the website can uniquely and anonymously identify every one of their visitors.
While users always present the same ID to the same site, they present an entirely different ID to every other site they visit, so it is impossible to link identities across sites.
The SQRL login process works as follows:
- The user is presented with the URL of the authentication service for the site, instead of a typical username/password login screen. The URL can also be presented as a QR code for easy scanning by mobile devices. In addition to the location of the authentication service, the URL also includes a securely generated, long, and a random number (also known as a nonce) so that every presentation of the login page displays a different QR code.
- Using the SQRL authentication application on the user device (which can be a smartphone or some other device), the URL is cryptographically hashed together with the user’s master key to produce a site-specific public key pair.
- The app then cryptographically signs the URL using the site-specific private key. Since the URL includes a secure long random number (the nonce), then the signature is unique for that site.
- The app issues a secure HTTPS POST command to the authentication service specified in the URL. The POST provides the site-specific public key and the matching cryptographic signature of the URL.
- The authenticating website receives and acknowledges the POST by returning a standard HTTP “200 OK” with no other content. The SQRL app acknowledges the successful submission of the user-signed URL.
- The authenticating site has the URL containing the nonce which came back from the login page. It also has a cryptographic signature of that URL and the user’s site-specific public key. It uses the public key to verify that the signature is valid for the URL (i.e. that the user who produced the signature used the private key corresponding to the public key). After verifying the signature, the authenticating site recognizes the now-authenticated user by their site-specific public key.
The SQRL application can reside on a mobile device, in which case to authenticate the website presents a QR code that encodes the site’s authentication service (with a nonce). The user scans the code to complete the authentication process.
To exemplify how SQRL identification and authentication works, suppose you wish to comment on a blog post. Rather than going through the annoying process of creating an account to uniquely identify yourself to a new website, you can log in using your SQRL identity. If the site hasn’t encountered your SQRL ID before, it might prompt you for a name to associate with your postings. The result is a secure and unique identity on that blog site where no one can impersonate you, and any time you return, you will be immediately and uniquely identified. No accounts are set up, and no usernames or passwords required for logging in. As a result, there’s nothing to remember or to forget.