Secure, Quick, Reliable Login (SQRL)
Secure, Quick, Reliable Login, or SQRL (pronounced “squirrel”), is a draft open standard for anonymous and secure user identification and authentication to websites and web applications. It is proposed by its inventor Steve Gibson as an easy-to-use replacement for usernames, passwords and MFA.
SQRL was designed to eliminate username and password authentication to remote websites.
When using SQRL, users need only to provide one password to unlock their signing keys which are stored locally on their device and never disclosed to any website. The password is verified locally on the device that stores the signing keys.
To authenticate using SQRL, visitors to a website are uniquely identified by an anonymous SQRL ID, which they present every time they visit the same site. Since no two visitors have the same ID, the website can uniquely and anonymously identify every one of their visitors.
While users always present the same ID to the same site, they present an entirely different ID to every other site they visit, so it is impossible to link identities across sites.
The SQRL login process works as follows:
• The user is presented with the URL of the authentication service for the site, instead of a typical username / password login screen. The URL can also be presented as a QR code for easy scanning by mobile devices. In addition to the location of the authentication service, the URL also includes a securely generated long random number (also known as a nonce) so that every presentation of the login page displays a different QR code.
• Using the SQRL authentication application on the user device (can be a smartphone or some other device), the URL is cryptographically hashed together with the user’s master key to produce a site-specific public key pair.
• The app then cryptographically signs the URL using the site-specific private key. Since the URL includes a secure long random number (the nonce), then the signature is unique for that site.
• The app issues a secure HTTPS POST command to the authentication service specified in the URL. The POST provides the site-specific public key and the matching cryptographic signature of the URL.
• The authenticating web site receives and acknowledges the POST by returning a standard HTTP “200 OK” with no other content. The SQRL app acknowledges the successful submission of the user-signed URL.
• The authenticating site has the URL containing the nonce which came back from the login page. It also has a cryptographic signature of that URL, and the user’s site-specific public key. It uses the public key to verify that the signature is valid for the URL (i.e. that the user who produced the signature used the private key corresponding to the public key). After verifying the signature, the authenticating site recognizes the now-authenticated user by their site-specific public key.
The SQRL application can reside on a mobile device, in which case to authenticate the website presents a QR code that encodes the site’s authentication service (with a nonce). The user scans the code to complete the authentication process.
To exemplify how SQRL identification and authentication works suppose you wish to comment on a blog posting. Rather than going through the annoying process of creating an account to uniquely identify yourself to a new website, you can login using your SQRL identity. If the site hasn’t encountered your SQRL ID before, it might prompt you for a name to associate with your postings. The result is a secure and unique identity on that blog site where no one can impersonate you, and any time you return, you will be immediately and uniquely identified. No accounts are setup, no usernames or passwords required for logging in and as a result, nothing to remember or to forget.
SQRL is used as an anonymous alternative to usernames and passwords (and MFA) for authenticating users to websites.
SQRL is designed to be phishing resistant – the authentication credential produced is site specific and the secret used for authentication never leaves the user’s device. But there are ways for a determined attacker to overcome SQRL.
SQRL is a draft open standard with open source implementation available on Github and other code repos.
SQRL has several advantages including:
- User needs to remember only one password to access all websites – the password securing his master key.
- User secrets – password, master key and private key – never leave his device, making them less susceptible to attack.
- Websites don’t need to handle or store sensitive user secrets – all them need is the user’s public key to verify his signature.
- Credentials are site specific, and based on asymmetric crypto, which means credentials are secured against brute force, password spraying, credential stuffing, and other common attacks against username/password authentication.
Identity fragmentation typically refers to the multiplicity of identities used by a single person to access multiple websites and applications. Multiple user accounts result in multiple identities that need to be authenticated using multiple credentials.
QR codes are used to encode data – any data – so in itself it does not say much about authentication. In the case of SQRL, QR codes are used to encode the URL for the authentication service of the site (plus the nonce) in case the user wants to authenticate with an SQRL mobile application.