home.social

#sqrl — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #sqrl, aggregated by home.social.

  1. @timbray This is why I like #SQRL
    en.wikipedia.org/wiki/SQRL better.

    Sure, instead, of using a standard protocol, he used a custom one so he didn't have to trust browser manufacturers not to trash the extension API to lock out non proprietary implementations, or standard web service library implementations not to have security flaws that undermine the whole thing. I thought it was a poor choice at first becase it would be harder to implement, but now, it seems prescient.

    #PassKeys

  2. @btaroli it's at times like this that edits to squeeze a post into 500 characters can cause problems.

    The limitation in #SQRL that I was referring to was that it defaults to a single secret key per identity, and that it is painful to have many identities, but that detail was hard to fit in 🤷‍♂️

  3. @btaroli I agree that #SQRL has a lot of potential.

    I am not as keen on the fact that it uses a single private key as the basis for everything and that it has a full custom protocol rather than a simple REST API, but these are not fatal flaws.

    Whereas #Passkeys attestation feature seems like a recipe for abuse, allowing incumbents to insist on proprietary platforms. The lack of ability to transfer keys between major platforms in something that is supposed to be interopretable is disturbing.

  4. I wonder how hard it'd be to get SQRL to load rules from a database? Currently it seems to be all based around filesystems and pre-compiled files.

    I guess this makes sense in systems where you track all the changes in git and automatically deploy the service, but I'm not sure that's suitable for all environments?

    github.com/sqrl-lang/sqrl/

    #sqrl

  5. @arstechnica so this is more about the Google Authenticator specific synching mechanism as a #security risk than any inherent #TOTP problem.

    I get why there's a reference to #FIDO2, but I'd much rather use #SQRL than something that locks users to a specific, (probably) untrustworthy, provider.

  6. @sweis from what I've heard on SecurityNow, there it's a HUGE drawback... dependency on a provider and they are non interoperable. Sure there's a standard, but you can't move your account, so you're locked into either Apple or Google, or worse, both at the same time and you have to trust them.

    As odd a duck as #SQRL is, it sounds like a much better system and what FIDO was originally trying to be, when they gave up on forcing the use of physical tokens.

    Cc: @leo

  7. @hexorg Take a look at how SQRL does this, deriving secret information per site in a similar manner, but allows for master password change and password rotation per site too. Extremely clever and hits all the esge cases. Extremely well documented and working code exists. #SQRL #infosec

  8. @sjanes @pcrock I had forgotten about and have been waiting for to gain traction. Given the heavy weights behind webauthn that seems like the standard that has a better chance, for better or worse. Recovery will always remain a challenge for the general user. Either way, I hope we get something better than passwords soon (though I've been very happy with in the mean time).

  9. @georgia haven't heard of #SQRL, I'll have to look that one up. Any good intro links you can recommend?

  10. So as a follow up to anyone that's interested, I've had some feedback from Karol Babioch (@kbabioch) author of docplayer.net/53523762-Fakulta (thanks @erAck for sharing) who also worked with the SQRL team.

    In short, sounded cool when it was conceived 5 years ago, but it never lifted off. Nowadays, there are more mature standards backed by bigger companies to achieve strong lone factor authentication.

    So take a look at (fidoalliance.org/about/what-is), and related and .

  11. @erAck

    From that Thesis (I have yet to finish it), there's a link to the open newsgroup where people interested in can and have been discussing. Although it's hosted by Gibson Research, the discussions here could be proof of good will.

    grc.com/groups/sqrl

  12. @Naughtylus
    What makes me wonder is, it's five years old yet it gained no traction and no actual implementation picked it up for real, other than proof of concept server and client implementations and kalaspuffar's app on F-Droid it seems not having been adopted.
    #SQRL