Adding SQRL (Secure Quick Reliable Login) http://sqrl.pl/blog/


(chamunks) #1

What I Believe

I believe that Discourse is already throwing away many standardized conventions already in the name of evolution of communication and related technology. Moving to something where privacy, security reliability and simplicity is inherent like SQRL seems like the “perfect match”.

SQRL a Better Authentication Method.

I am suggesting adding an alternative method which could be merged into the login/registry screen.

The websites I’ll link for your own study and consideration are sqrl.pl and grc.com both have valid and powerful explanations of this technology. Basically for those of you who don’t like clicking foreign links without a short pitch. Heres the idea of how SQRL works.

The problem

When you first show up to a website you’re usually presented with a register/login page which requires that you punch in a bunch of personal information before you can register. The way that this usually works is that you have a Username or Email and a password. This is all find and dandy but we all know that it can be tough to host and effectively secure authentication credentials against attack and exploitation.

This relies on the fact that you manage the length and complexity of your passwords and usernames. Otherwise it relies on hopes and dreams to essentially stay under the radar from robots attempting to farm and exploit your accounts.

Some Duct Tape (TwoFactorAuth/MultiFactorAuth)

To combat insecurity issues with brute forcing and dictionary attacks we’ve come up with a new magical solution called Two Factor Authentication or Multi Factor Authentication where you use some randomly generated OTP (One Time Password) as well as your main password. This gets arduous and frustrating when you have 30 seconds to type in a password before it expires. Or you have to wait for an SMS to be sent to your mobile device reliably.

The Many Issues With MFA/TFA as a Bandage Solution

You now have the issue of always keeping track of not only your Username/Email and Password but you also have to hope that your phone is charged and that you remember the pin for your MFA/TFA so now you have to concern yourself with all of the following:

  • The location of your smartphone
  • Smartphone is charged
  • Integrity of your smartphones flash storage
  • Secure backups of your TFA/MFA
  • The user ID that was used [Pin/Email/Username/ETC]
  • Passphrase[hopefully]
  • This list can go on and on…

And Now for Something Completely Different

With SQRL you are offered a QR code which you can scan or click (depending if you’re on a mobile browser or not). This QR code sends a bunch of gibberish to your mobile scanner app which you now use your private master key which is generated by the mobile app and then send the signed result back to the website/service to prove you are who you are and that you’re checking in.

The Issues With SQRL

  • Location of your smartphone
  • Integrity of your smartphones flash storage
  • Your ability to securely back up SQRL identities
  • Remembering your Passphrase for SQRL
  • This list is significantly shorter and a broader explanation and case for use is made more effectively on the websites linked in the opening paragraph.

(Jeff Atwood) #2

If you wish to work on or fund a plugin that adds this, go for it!


(chamunks) #3

Really just making suggestions I don’t code personally, I’m basically just making feature requests until Discourse is such an awesome project to me that I have no choice but to run it :stuck_out_tongue:

The projects that I run are generally small open source stuff for gamers/game mod’ers. If it wouldn’t cost heaps of cash to get it coded I might pitch some cash at the idea. But I can’t really afford much for it right now. So they’d have to be willing to work for cheap.


(Sam Saffron) #4

One thing I would like to do to our login dialog is make “password” optional, if you try to login without a password we should prompt you

You have not entered a password, would you like me to send you a once off login link

I would find that tremendously useful, especially on mobile.

SQRL sound like a reasonably large chunk of work compared to just doing that.


(chamunks) #5

True enough, although I also see a lot of alternative issues that arise from this model. This sounds like it requires you log into your email or your android or something. Which sounds like a lot of extra time involved.

SQRL is nearly instant and already a complete solution which accommodates for a lot of security considerations. Its basically similar to OAuth minus the third party.

I do suggest taking a glance at it I think you might be impressed with its overall design. It really eliminates a lot more than what I wrote. I was just hoping to highlight some of what really stood out to me.

I am curious what the usual cost for something like this is.


(Jeff Atwood) #6

I would ballpark the average cost to build a plugin of average complexity (doing something significant) as about $5,000.


(chamunks) #7

Fair enough thats way out of budget for what we would need it for.

SQRL just seems like a reasonably decent alternative option to UserID // Password // MFA options which seems to be very security and privacy conscious. It has huge benefit of being designed to be extremely difficult and complex to crack.


(Sam Saffron) #8

Just keep in mind, your Email account >== your Password.

As long as we permit people to change passwords via email, we are allowing people to log in with just an email address.


(chamunks) #9

yes I suppose this is accurate its still slower and a lot of work, since theres a vast majority of people who probably don’t use inbox.google.com email tends to get buried or is slow or even worse completely blocked in some cases.

You do bring up a good argument essentially against MFA/TFA since you can generally reset your login credentials with your email regardless of the presence of your MFA/TFA. This in itself sounds like a security design flaw. In a perfect world people would have effective methods to handle passwords and such. The situation with SQRL is all you need to do is keep track of your phone and keep it backed up somewhere. Your password and email don’t play into the equation at all those become essentially optional. Granted you do basically rely on the person who owns the mobile phone to keep the thing backed up properly.