In case you haven't noticed: Passwords suck. Fortunately alternatives to that age-old authentication scheme are finally becoming practical. Today we will look at SQRL (Secure Quick Reliable Login), which aspires to become the simple and secure solution for your every-day authentication needs.
7 min read
By Øystein Grande Jaren
December 2, 2019
SQRL was originally invented in 2013 by Steve Gibson (these days best known as host of the podcast Security Now!). Over the past few years a lot of work has gone into making SQRL ready for the world. The specification was recently finalized, and several client and server implementations have been developed, making now a good time for curious developers to start experimenting with this promising technology.
SQRL uses public key cryptography to securely authenticate a user to a web site with minimal fuss, and without the user having to memorize or manage a multitude of passwords. It is based around the central premise of using a single master identity - the user's SQRL Identity - to predictably generate unique identities for every web site that the user authenticates to.
This is how logging in with SQRL works from a high level:
sqrl://www.example.com?nut=X7Kyfz9xr8jLt4aB9xQF. That "nut" parameter is a nonce, uniquely generated every time the login page loads.
The above image borrowed from the SQRL documentation nicely illustrates how SQRL generates site specific identities from the site domain name and the user's Master Key.
This relatively simple concept provides us with many desireable characteristics, most notable of which are:
All these benefits also put some responsibility on the user. Since the Master Key resides in the SQRL client app on the user's phone or PC, the user must take appropriate precautions to protect the SQRL client app on her device. If the user's chosen master password (which is used to encrypt and decrypt the Master Key) is not sufficiently strong, this of course weakens the overall security of the system. Also since there is no third party to turn to for help, the user must make sure to backup her SQRL Identity in case she loses her device. Fortunately this is easy to do. The SQRL Identity (ie. the 256-bit Master Key) can simply be printed in encrypted form as a QR code and/or human readable text on a piece of paper for offline storage. Importing the SQRL Identity into the SQRL client app on a new device is as simple as scanning a QR code or entering a bit of text. Encryption by the master password is preserved. But what if you forget the master password? Well, for this case you have the Rescue Code, which is generated when you first create your SQRL Identity. It absolutely must be stored in a safe place, as it can rescue you from pretty much any bad situation imaginable.
Now I hear you say: What about FIDO2/WebAuthn and hardware security keys? Some web sites have started to offer support for passwordless authentication using FIDO2 hardware keys. This offers similar security properties to SQRL (in some ways arguably better), while also being very simple to use. A major downside is difficulty of backup. The private keys are locked inside the hardware and cannot be accessed in any way. Thus the only way to do backup is to add multiple security keys to every web site you use. This can quickly become a maintenance nightmare. Locking up the keys inside the hardware does provide superior security at face value, but at a considerable cost of convenience. This cost may be too high for most users, which means that they must keep alternate (and less secure) authentication methods active as fallbacks, arguably negating the most important benefits of using security keys in the first place. It may be that SQRL strikes the security/convenience balance better.
It remains to be seen if SQRL will get enough traction to make a dent in the dominance of passwords, but its security properties and ease of use are certainly compelling, and importantly: It is completely free and unencumbered by patents and intellectual rights. It is simple to implement SQRL support on the server side, in no small part due to the excellent documentation. Additionally SQRL authentication will happily coexist with traditional authentication methods on your web site. You can trivially allow existing users to add a SQRL identity which will be linked to their account, making for a smooth transition into a more secure future.
SQRL Client apps are available and in development for Windows, Mac, Linux, Android, iOS, as well as browser plugins. Server libraries exist for .NET Core, Java, Go and more. There is even a Wordpress plugin.
To learn more and try out SQRL for yourself, check out the links below. The documentation actually makes for a surprisingly engaging read!